Deploy:SplunkForwarder for Windows installscript
From Splunk Wiki
Topic has been superseded
You might want to look at Deploying Splunk Light Forwarders instead of this page. It has files and scripts packaged, and is more likely to be kept up-to-date. Addtionally, it has additional equivalant scripting for Linux/Unix systems.
What/How/Why
The script below installs Splunk into C:\Program Files\Splunk, enables the LightFowarder, removes the sample data database and sets up Splunk to forward only the new eventlog data (history not forwarded).
The reason I created the script was that my employees aren't familiar with Splunk and it's configuration, to ensure Splunk Forwarders are setup correctly I created this script with the help of gkanapathy.
I know this can be done using a Deployment server but if your using the free version Deployment is not available.
Preparations
Create Directories
First of all we need to create a directory to store our installation script. In my case I created a Splunk folder and inside a etc folder to store my configuration files in.
- Splunk (Main directory)
- etc (Main configuration directory)
- apps (Application directory)
- SplunkForwarder (Main directory for Forward settings)
- local (Configuration directory)
- app.conf (Enables the lightforwarder for splunk)
- indexes.conf (Disables the other indexes)
- inputs.conf (Configures the input of my Windows eventlogs)
- outputs.conf (Configures where to send the data to)
- local (Configuration directory)
- windows (Default Windows App directory)
- local (Configuration directory)
- app.conf (Disables the windows app and WMI input)
- local (Configuration directory)
- SplunkForwarder (Main directory for Forward settings)
- auth
- splunk.secret (not sure :P)
- system (System Settings directory)
- local (Configuration directory)
- inputs.conf (Only changes the hostname)
- server.conf (Only changes the servername)
- local (Configuration directory)
- passwd (Password file for admin user)
- apps (Application directory)
- etc (Main configuration directory)
Download Splunk
Head over to http://www.splunk.com and Login, download Splunk and rename the MSI package to splunk-package.msi. Place the MSI inside the Splunk folder.
Create configuration files
SplunkForwarder app
app.conf
default configuration for SplunkLightForwarder
index.conf
default configuration for SplunkLightForwarder
inputs.conf
Added Windows Event Log collection.
Index Winevents
[WinEventLog:System]
disabled = 0
start_from = oldest
current_only = 1
[WinEventLog:Security]
disabled = 0
start_from = oldest
current_only = 1
[WinEventLog:Application]
disabled = 0
start_from = oldest
current_only = 1
outputs.conf
[tcpout]
defaultGroup = XXXForwarder
maxQueueSize = 1000
[tcpout:XXXForwarder]
server = 192.168.4.230:9997
Windows app
app.conf
[install] state = disabled
System
inputs.conf
[default]
host = ntXXX.yourdomain.local
server.conf
[general]
serverName = ntXXX.yourdomain.local
The Installation Script
@echo off cls echo ========================== echo Installation started echo ========================== setlocal
IF "%PROCESSOR_ARCHITECTURE%" == "AMD64" goto b64 IF "%PROCESSOR_ARCHITEW6432%" == "AMD64" goto b64 :b32 set SPLUNK_MSI=N:\Installation Files\x86 versions\splunk-version-build-x86-release.msi REM set above to path to 32-bit version goto endb6432 :b64 set SPLUNK_MSI=N:\Installation Files\x86-64 versions\splunk-version-build-x64-release.msi REM set above to path to 64-bit version :endb6432 if not defined ProgramFilesW6432 ( set LOC=%ProgramFiles%\Splunk ) else ( set LOC=%ProgramFilesW6432%\Splunk )
rem the WINEVENLOG*CHECK settings don't do anything in 4.0. They're just carried over from 3.x where they make sure the inputs weren't enabled. msiexec.exe /i "%SPLUNK_MSI%" INSTALLDIR="%LOC%" LAUNCHSPLUNK=0 WINEVENTLOGAPPCHECK=0 WINEVENTLOGSYSCHECK=0 WINEVENTLOGSECCHECK=0 SPLUNK_APP="" /QUIET xcopy etc "%LOC%\etc" /s /f /y rem next line sets/changes drive letter, but not needed with pushd (vs cd) rem for %%i in ("%LOC%") do %%~di pushd "%LOC%\bin\" splunk clean eventdata sample -f move "%LOC%\etc\splunk-forwarder.license" "%LOC%\etc\splunk.license" splunk restart cls echo ========================== echo Installation completed! echo ========================== splunk show license -auth admin:changeme > C:\splunk-license.txt popd endlocal exit
Hoping this will help you all!
CerielTjuh 09:16, 5 September 2009 (PDT)