This app generates a string a code that completes the following, after being entered into powershell or bash:
- Downloading the universal forwarder (v7.1.x) from splunk.
- Installing the forwarder
- Generating and configuring the following files
- deploymentclient.conf
- Settings for what deployment server to phonehome into, and changing the deployment client's name to be automatically pulled into the serverclass included with the app.
- outputs.conf
- Settings for what indexers the forwarder should send data to.
- inputs.conf
- Settings for what inputs should be enabled right after install (note that specifying inputs from the deployment server using serverclasses is best practices)
- user-seed.conf
- Settings for configuring the credentials to manage the forwarder locally
- deploymentclient.conf
- Start the forwarder
- Set up the forwarder to run at boot.
The app is meant to be installed on the deployment server and the search head, or a combined instance of the two.
Extract the zip to the $SPLUNK_HOME/etc/apps/ folder. (Make sure the folder's name after you extract is "ez-forwarder")
Or
In your terminal, Navigate to $SPLUNK_HOME/etc/apps/ and clone the repository with the following command:
git clone https://github.com/xSprout/ez-forwarder.git
Fill out the fields on the app:
- Deployment server - should be the IP:Port of the deployment. By default it is the host you are currently connecting to (whatever is in the URL bar)
- Outputs - should be a comma-delimited list of the IP:Ports of your indexer tier. By default this is set to any connected search peers, and if none are found; it is the host you are currently connecting to (whatever is in the URL bar) with the port 9997.
- Inputs - Just the inputs.conf text you want on the forwarder.
- See http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf for details.
- Configure Forwarder credentials - The username and password you want the forwarder to accept when making changes locally.
- Run the script
- Copy-Paste - Copy paste the one-liner into bash (*nix machines) or powershell as administrator (windows machines)
- OR (*nix search head and clients only, requires hostkey) - Enter the details of the deployment client to install the forwarder to with a click of a button.
- Enter the IP/FQDN of the host you want to ssh into
- Enter the username that should be used to ssh into the client
- Enter the absolute location of the hostkey on the Search Head/Deployment Server
- Click the button to have the SH/DS ssh into the client and execute the script. Area below should come up with a result.
The app comes with preconfigured serverclasses for forwarder deployed using this tool, separated for Windows/*Nix clients. There are also prepackaged TAs in the deployment-apps folder:
- Add-On for Microsoft Active Directory
- Add-On for Microsft DNS
- Add-On for Windows Infrastructure (v4.8.4)
- Add-On for Microsoft Sysmon
- Add-On for Microsoft Exchange
- Add-on for Unix and Linux