Deploy:SplunkForwarder for Windows installscript

From Splunk Wiki

Jump to: navigation, search


Topic has been superseded

You might want to look at Deploying Splunk Light Forwarders instead of this page. It has files and scripts packaged, and is more likely to be kept up-to-date. Addtionally, it has additional equivalant scripting for Linux/Unix systems.

What/How/Why

The script below installs Splunk into C:\Program Files\Splunk, enables the LightFowarder, removes the sample data database and sets up Splunk to forward only the new eventlog data (history not forwarded).

The reason I created the script was that my employees aren't familiar with Splunk and it's configuration, to ensure Splunk Forwarders are setup correctly I created this script with the help of gkanapathy.

I know this can be done using a Deployment server but if your using the free version Deployment is not available.

Preparations

Create Directories

First of all we need to create a directory to store our installation script. In my case I created a Splunk folder and inside a etc folder to store my configuration files in.

  • Splunk (Main directory)
    • etc (Main configuration directory)
      • apps (Application directory)
        • SplunkForwarder (Main directory for Forward settings)
          • local (Configuration directory)
            • app.conf (Enables the lightforwarder for splunk)
            • indexes.conf (Disables the other indexes)
            • inputs.conf (Configures the input of my Windows eventlogs)
            • outputs.conf (Configures where to send the data to)
        • windows (Default Windows App directory)
          • local (Configuration directory)
            • app.conf (Disables the windows app and WMI input)
      • auth
        • splunk.secret (not sure :P)
      • system (System Settings directory)
        • local (Configuration directory)
          • inputs.conf (Only changes the hostname)
          • server.conf (Only changes the servername)
      • passwd (Password file for admin user)


Download Splunk

Head over to http://www.splunk.com and Login, download Splunk and rename the MSI package to splunk-package.msi. Place the MSI inside the Splunk folder.

Create configuration files

SplunkForwarder app

app.conf

default configuration for SplunkLightForwarder

index.conf

default configuration for SplunkLightForwarder

inputs.conf

Added Windows Event Log collection.


Index Winevents


[WinEventLog:System]

disabled = 0

start_from = oldest

current_only = 1

[WinEventLog:Security]

disabled = 0

start_from = oldest

current_only = 1


[WinEventLog:Application]

disabled = 0

start_from = oldest

current_only = 1

outputs.conf

[tcpout]

defaultGroup = XXXForwarder

maxQueueSize = 1000

[tcpout:XXXForwarder]

server = 192.168.4.230:9997

Windows app

app.conf

[install] state = disabled


System

inputs.conf

[default]

host = ntXXX.yourdomain.local

server.conf

[general]

serverName = ntXXX.yourdomain.local

The Installation Script

@echo off
cls
echo ==========================
echo   Installation started
echo ==========================

setlocal
IF "%PROCESSOR_ARCHITECTURE%" == "AMD64" goto b64
IF "%PROCESSOR_ARCHITEW6432%" == "AMD64" goto b64
:b32
set SPLUNK_MSI=N:\Installation Files\x86 versions\splunk-version-build-x86-release.msi
REM set above to path to 32-bit version
goto endb6432

:b64
set SPLUNK_MSI=N:\Installation Files\x86-64 versions\splunk-version-build-x64-release.msi
REM set above to path to 64-bit version
:endb6432

if not defined ProgramFilesW6432 (
   set LOC=%ProgramFiles%\Splunk
 ) else (
   set LOC=%ProgramFilesW6432%\Splunk
 )
rem the WINEVENLOG*CHECK settings don't do anything in 4.0. They're just carried over from 3.x where they make sure the inputs weren't enabled.
msiexec.exe /i "%SPLUNK_MSI%" INSTALLDIR="%LOC%" LAUNCHSPLUNK=0 WINEVENTLOGAPPCHECK=0 WINEVENTLOGSYSCHECK=0 WINEVENTLOGSECCHECK=0 SPLUNK_APP="" /QUIET 
xcopy etc "%LOC%\etc" /s /f /y
rem next line sets/changes drive letter, but not needed with pushd (vs cd)
rem for %%i in ("%LOC%") do %%~di
pushd "%LOC%\bin\"
splunk clean eventdata sample -f
move "%LOC%\etc\splunk-forwarder.license" "%LOC%\etc\splunk.license"
splunk restart

cls
echo ==========================
echo  Installation completed!
echo ==========================
splunk show license -auth admin:changeme  > C:\splunk-license.txt
popd
endlocal
exit


Hoping this will help you all!

CerielTjuh 09:16, 5 September 2009 (PDT)

Personal tools
Hot Wiki Topics


About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk