I recently had to reinstall my personal Splunk instance and reconfigure my endpoints to log back to my Splunk. In the past, it was a long process of SSHing into each host and manually reinstalling Universal Forwarders on each host. Thankfully, I’ve been learning a bit of Ansible and decided to take on a small side project of building a role that installs Universal Forwarders on Windows, Debian, ARM (Rpi), and FreeBSD clients.
Deployment Clients are kind of neat. Once the Universal Forwarder is installed on the endpoint and if a deployment-client.conf file is configured, Splunk can push apps to the UF host to configure what monitoring needs to occur on that host.
By doing it this way, you can quickly push out new apps, configurations, and changes to many UF hosts without logging into each.
- Make sure you have your Splunk Instance up and running already
- Enable input 9997 under “Forwarding and receiving” (default UF recieving port)
- Clone my repo from above into your ansible roles directory
- Edit the default/main.yml variables to match your Splunk enviroment
- Run the playbook-example.yml against your hosts
- Go into your Splunk instance “Forwarder management”
- Verify that the hosts you ran this playbook against appear in the Splunk forwarder management console
- Move apps (such as the “Splunk_TA_Windows”or “Splunk_TA_nix”) into your Splunk /opt/splunk/etc/deployment-apps
- Create a new “Server Class” and select the apps and hosts you want to push to that host
- Note: You may need to setup new indexes to support the deployment apps you push
At this point, you should have logs appearing in Splunk and all it took was a little configuring in Splunk and running an Ansible Playbook!