Deploy configurations for all server roles
This procedure describes using the Splunk deployment server to deploy the Splunk App for Windows Infrastructure configurations to Splunk universal forwarders that you have installed on each of the Windows systems in your environment.
If you haven't installed universal forwarders yet, follow the instructions in "Install a universal forwarder on each Windows server" to complete that task before continuing.
Note: You do not have to use a deployment server to deploy the Splunk App for Windows Infrastructure--you can copy the appropriate components to the universal forwarders and search heads by hand if you like. However, a benefit to using deployment server is that you can update the components very easily later, when a new version of the app becomes available.
You can configure your central Splunk instance to be a deployment server, or install full Splunk on another server and configure it as the deployment server.
- For information on using the deployment server, refer to "About deployment server" in the core Splunk documentation.
Prepare the deployment on the deployment server
To configure your deployment server:
%SPLUNK_HOME%\etc\system\local\serverclass.conf on your deployment server to specify a server class for each server role and Windows Server version and optionally one for the server running the reputation service (which must have Internet access). The recommended naming convention is:
Windows-Server-<ServerVersion>for the Windows servers in the deployment (for example, Windows-Server-2003, Windows-Server-2008R2, and so on.)
Windows-ActiveDirectory-<ServerVersion>for the Active Directory domain controllers in the deployment (for example, Windows-ActiveDirectory-2008R2, Windows-ActiveDirectory-2012, and so on.)
CentralAppInstance for the servers in the central Splunk App for Windows Infrastructure instance.
2. Make edits to
%SPLUNK_HOME%\etc\system\local\serverclass.confto ensure that the add-ons you want to deploy go to the right servers:
- Each universal forwarder in the deployment gets
- the Splunk Add-on for Windows (if it is installed on a regular Windows server) or
- the appropriate Active Directory add-on (if it is an Active Directory domain controller.)
- Indexers in the central Splunk App for Windows Infrastructure instance get all of the included add-ons.
- Search heads in the central instance get the app and all of the included add-ons.
Important: Review "Create server classes" for instructions on how to edit serverclass.conf.
Push the components to their respective locations
Once you've completed all desired configuration changes, push the prepared components to their respective locations in your infrastructure:
1. On the deployment server, run the following command to reload the deployment server and update the various Splunk instances:
%SPLUNK_HOME%\bin\splunk reload deploy-server
2. After a few minutes, check that the deployment was pushed correctly with the following command:
%SPLUNK_HOME%\bin\splunk list deploy-clients
3. Wait 10 minutes, then follow the instructions in "Log in and get started" in this manual to view the Splunk App for Windows Infrastructure overview dashboard and confirm that data is coming into the app.
Enable auditing and local PowerShell script execution on Active Directory servers
Install the central Splunk App for Windows Infrastructure instance
This documentation applies to the following versions of Splunk® App for Windows Infrastructure: 1.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4