We are not going to cover the Splunk Heavy Forwarder as that installation is rare and only required for niche use cases.
Before You Start
The main Splunk infrastructure servers are located in AWS. The servers where the agent is installed will need to have access to the internet. If this is not possible or easy to accommodate, please contact the Splunk Service Admin at splunk-support@illinois.edu for an alternative internal deployment-server address and appropriate whitelist settings.
Linux
The below example leverages an Amazon Linux 2 AMI instance. Adjustments may need to be made depending on Linux versions and security posture (such as SE Linux)
-
- It is recommended that you run Splunk as a non-root user. This user will require access to the files that will be monitored possibly requiring permission adjustments.
- It is imperative that once you setup Splunk you do not manipulate any Splunk configuration files (located in /opt/splunkforwarder) under any other user than the user that runs the Splunk agent.
- In the following examples we assume that you are running the commands as the account that will be running the agent and you have been given the appropriate permissions to run the binaries.
- Please consult your OS specific documentation and your System Administration team for how to create users and adjust permissions so that you can run the agent not as a root user.
- Stop the Splunk agent.
/opt/splunkforwarder/bin/splunk stop - Download the agent from the current supported version located here – http://go.illinois.edu/splunk-uf-linux-current – into a temporary location.
wget -O /tmp/universalforwarder-linux.tgz https://go.illinois.edu/splunk-uf-linux-current - Extract the installation and discard of the downloaded file to your Splunk Forwarder directory. In this example we installed to the /opt directory, not all system configurations will allow this.
tar -xvf /tmp/universalforwarder-linux.tgz -C /optrm /tmp/universalforwarder-linux.tgzNOTE – Splunk by default likes to be installed into /opt/splunkforwarder. You can adjust this location based on your system’s configuration.
- Run the forwarder for the first time replacing the password if prompted. Not all upgrade scenarios will prompt for a password./opt/splunkforwarder/bin/splunk start –accept-license –no-prompt –answer-yes
- To forward to the Splunk environment starting in 2019, you will need to perform the following changes to point to the new Deployment Server.
- Verify that there are no Deployment server settings located in $SPLUNK_HOME/etc/system/local/deploymentclient.conf . If they exist, comment them out with a #. The new default deployment-server app will take care of these.
[target-broker:deploymentServer]#targetUri = splunk-deploy.opia.illinois.edu:8089 - If the Default Deployment-Server app has not been installed into $SPLUNK_HOME/etc/apps. Download the default app from https://go.illinois.edu/default-deployment-server and configure for the deployment-server. MAKE SURE YOU RESTART IMMEDIATELY as the permissions are initially very permissive. See instructions below if you do not know your local Splunk Universal Forwarder local admin password.
wget -O /tmp/default-deployment-server.spl https://go.illinois.edu/default-deployment-server### See instructions belowifyoudonot know your local Splunk UF local admin password ###/opt/splunkforwarder/bin/splunk install app /tmp/default-deployment-server.spl -auth admin:password_you_entered_in_a_previous_step/opt/splunkforwarder/bin/splunk restartrm /tmp/default-deployment-server.splIf you are unsure what your password is, you can extract the SPL application using tar and put the folder directly into the apps directory located in $SPLUNK_HOME/etc/apps
### Stop the agentifit is not already stopped/opt/splunkforwarder/bin/splunk stopwget -O /tmp/default-deployment-server.spl https://go.illinois.edu/default-deployment-servertar xvf /tmp/default-deployment-server.spl -C /opt/splunkforwarder/etc/apps/opt/splunkforwarder/bin/splunk startrm /tmp/default-deployment-server.spl
- It is recommended that you run Splunk as a non-root user. This user will require access to the files that will be monitored possibly requiring permission adjustments.
Verify file permissions of the folder that was installed into $SPLUNK_HOME/etc/apps/illinois-deploymentclient-9-DEFAULT-splunk-deployment.machinedata.illinois.edu-CONFIf the app permissions are overly permissive, you can reset the permission to 700.
Windows
- Backup Splunk configuration files located in the etc folder.
- Usually they are located in C:Program FilesSplunkUniversalForwarderetc
- NOTE – If you are running Splunk as an administrator account you may need to perform Run As commands to launch or manipulate the Splunk configuration files.
- Download the agent from the current supported version located here and run it – http://go.illinois.edu/splunk-uf-windows-current
- Close any applications that Splunk warns are in conflict
- Wait
- Complete
- Using explorer and your favorite text editor, verify that there are no Deployment server settings located in $SPLUNK_HOMEetcsystemlocaldeploymentclient.conf and comment them out
-
[target-broker:deploymentServer]#targetUri = splunk-deploy.opia.illinois.edu:8089
-
- Download the default-deployment-server configuration from https://go.illinois.edu/default-deployment-server
- Open a a command prompt window
- Navigate to the bin directory of the SplunkUniversalForwarder. For example cd Program FilesSplunkUniversalForwarderbin
- Run the following commands to load the default-deployment-server app and restart
-
splunk stopsplunk install app <full path todefault-deployment-server.spl> -auth admin:password_you_entered_in_a_previous_stepsplunk start - If you are unsure what your password is, you can extract the application using a tool like 7zip and put the folder directly into the apps directory located in $SPLUNK_HOMEetcapps
-
- You are now ready to contact the Splunk Service team to finish whitelisting/configuration.
