Install Splunk Universal Forwarder

Owned by Arnaud Lachaume (Unlicensed)
Last updated: May 26, 2017 by Bruno Chauvet (Unlicensed)
4 min read

When setting up a new server or application, you may want to get your logs centralised into a Splunk instance for rapid access and analysis. In order to do that you will be required to install the Splunk Universal forwarder on the machine where the logs to be monitored are located.

This screen image shows red circles with numbers inside the identify the parts of the screen. The table below the screen image describes each of the numbered screen parts.

Guide

The main documentation on how to setup a Splunk can found here: https://docs.splunk.com/Documentation/Splunk/6.5.2/Installation/Whatsinthismanual

There you will see on how to:

  1. Setup a Splunk enterprise server
  2. Setup the certificates
  3. Setup the forwarders

Installation Steps

  1. Login to your machine and gain root access

  2. Download the Splunk Forwarder

    1. On Windows: https://docs.splunk.com/Documentation/Splunk/6.5.2/Installation/ChoosetheuserSplunkshouldrunas
    2. On Mac: https://docs.splunk.com/Documentation/Splunk/6.5.2/Installation/InstallonMacOS
    3. On Linux: https://docs.splunk.com/Documentation/Splunk/6.5.2/Installation/InstallonLinux
  3. Generate Certificates following: https://docs.splunk.com/Documentation/Splunk/6.5.2/Security/Howtoself-signcertificates

  4. You will have to Edit /opt/splunkforwarder/etc/system/local/outputs.conf to configure the splunk forwarder authentication settings

    1. More details regarding signed certificates: http://docs.splunk.com/Documentation/Splunk/6.5.2/Security/HowtoprepareyoursignedcertificatesforSplunk

    2. Example:

      [tcpout]
defaultGroup = splunkssl

[tcpout:splunkssl]
server = <splunk master host eg:splunk.maestrano.io>:<splunk master port to receive traffic from this forwarder eg:9897>
compressed = true
sslRootCAPath = <path/to/your/CA/certificate.pem>
sslCertPath = <path/to/your/forwarder/certificate.pem>
sslPassword = <a password that will be encrypted by the forwarder on first startup>
sslVerifyServerCert = true

  5. Finally start you splunk instance and automatically accept the license via: 

    /opt/splunkforwarder/bin/splunk start --accept-license --answer-yes --auto-ports --no-prompt

  6. If you want to configure Splunk to automatically start at system boot, you can run: 

    /opt/splunkforwarder/bin/splunk enable boot-start

  7. You check the Splunk Forwarder logs by running:

     tail -n 150 -f /opt/splunkforwarder/var/log/splunkd.log

  8. You can now monitor a log file or specific folder by running the following command.

    splunk add monitor <path-to-my-log> -index <splunk-index-to-use> -hostname <hostname-for-this-log> -auth admin:changeme

# E.g: monitoring logs for the Maestrano rails application in UAT
splunk add monitor /var/log/maestrano -index uat-mno-web -hostname appserver1.apse1 -auth admin:changem

Installation Script Example

In order to simplify your deployments, you may create a script using this template.

You will first need to:

  1. Download the forwarder, and have it available on a CDN: https://www.splunk.com/en_us/download/universal-forwarder.html#tabs/linux
  2. Generate a certificate following: https://docs.splunk.com/Documentation/Splunk/6.5.2/Security/Howtoself-signcertificates


install-splunk.sh
#!/bin/bash
# This script is provided by Maestrano for convenience and may need to be adapted to match your infrastructure specificities
# This script installs and configures the splunkforwarder
# You will need to edit and replace [YOUR_COMPANY_DEB_PACKAGE_CDN] or [YOUR_COMPANY_RPM_PACKAGE_CDN] and [YOUR_COMPANY_FORWARDER_CERTIFICATE] and [YOUR_COMPANY_FORWARDER_CERTIFICATE]

# Choose environment
clear
echo "Which environment is this?"
echo "1) UAT/Test"
echo "2) Production"
read environment

if [ $environment != "1" ] && [ $environment != "2" ]; then
  echo "Invalid choice. Exiting"
  exit 1
fi

# Choose log type
clear
echo "Which type of logs are you going to track with this forwarder?"
echo "1) Web logs (Maestrano, mCluster, Connec etc.)"
echo "2) Nex! logs (Nex! management scripts, apps logs)"
echo "3) Other"
read logtype

if [ $logtype != "1" ] && [ $logtype != "2" ] && [ $logtype != "3" ]; then
  echo "Invalid choice. Exiting"
  exit 1
fi

# Choose right Splunk port based on choices above
port="9"

if [ $environment == "1" ]; then
  port="${port}6"
else
  port="${port}9"
fi

if [ $logtype == "1" ]; then
  port="${port}98"
elif [ $logtype == "2" ]; then
  port="${port}97"
else
  port="${port}99"
fi
echo "Forwarder will be configured to stream to master on port: ${port}"

# Choose server name
# clear
# echo "Enter the name of this server"
# read servername
#
# if [ -z $servername ]; then
#   echo "Server name is empty. Exiting"
#   exit 1
# fi

# Install based on target OS - APT or Yum based
if which dpkg > /dev/null 2>&1; then
  echo "Installing for Debian"
  rm -f /tmp/splunkforwarder-amd64.deb
  # Have deb package available via your cdn, something like http://cdn.yourcompany.com/pkg/splunkforwarder/6.2.1/splunkforwarder-amd64.deb
  # Replace [YOUR_COMPANY_DEB_PACKAGE_CDN] by your debian package cdn url
  # example: dpkg -s splunkforwarder || ( wget -P /tmp http://cdn.yourcompany.com/pkg/splunkforwarder/6.2.1/splunkforwarder-amd64.deb && dpkg -i /tmp/splunkforwarder-amd64.deb )
  dpkg -s splunkforwarder || ( wget -P /tmp [YOUR_COMPANY_DEB_PACKAGE_CDN] && dpkg -i /tmp/splunkforwarder-amd64.deb )
  rm -f /tmp/splunkforwarder-amd64.deb
else
  echo "Installing for RHEL/CentOS/Fedora/AWS Linux"
  [[ $(uname -m) == "i686" ]] && package="splunkforwarder-i386.rpm" || package="splunkforwarder-x86_64.rpm"
  
  rm -f /tmp/$package
  # Replace http://cdn.yourcompany.com/pkg/splunkforwarder/6.2.1 by your own cdn
  # Replace [YOUR_COMPANY_RPM_PACKAGE_CDN] by your rpm package cdn url
  # example: rpm -qa | grep -qw splunkforwarder || ( wget -P /tmp http://cdn.yourcompany.com/pkg/splunkforwarder/6.2.1/$package && rpm -i /tmp/$package )
  rpm -qa | grep -qw splunkforwarder || ( wget -P /tmp [YOUR_COMPANY_RPM_PACKAGE_CDN]$package && rpm -i /tmp/$package )
  rm -f /tmp/$package
fi

# Configure certs
install_path="/opt/splunkforwarder"
mkdir -p $install_path/etc/system/local
mkdir -p $install_path/etc/auth/maestrano-certs


# Replace [YOUR_COMPANY_CACERT_CERTIFICATE] by your cacert.pem certificate, something like:
# -----BEGIN CERTIFICATE-----
# 0Yr9mDQjfzdLP3GObc7y7rwz8a5ozATwfpqZiWYjM34oKFPSj7kwLdA+otx0glGG
#(...)
# 4Kf5vAucZZVe7g==
# -----END CERTIFICATE-----

# Configure CA Cert
cat > ${install_path}/etc/auth/maestrano-certs/cacert.pem << 'EOFEOFEOF'
[YOUR_COMPANY_CACERT_CERTIFICATE]
EOFEOFEOF


# Replace [YOUR_COMPANY_FORWARDER_CERTIFICATE] by your forwarder.pem certificate, something like:
# -----BEGIN CERTIFICATE-----
# 0Yr9mDQjfzdLP3GObc7y7rwz8a5ozATwfpqZiWYjM34oKFPSj7kwLdA+otx0glGG
# (...)
# 4Kf5vAucZZVe7g==
# -----END CERTIFICATE-----
# -----BEGIN ENCRYPTED PRIVATE KEY-----
# 0Yr9mDQjfzdLP3GObc7y7rwz8a5ozATwfpqZiWYjM34oKFPSj7kwLdA+otx0glGG
# (...)
# 4Kf5vAucZZVe7g==
# -----END ENCRYPTED PRIVATE KEY-----
# -----BEGIN CERTIFICATE-----
# 0Yr9mDQjfzdLP3GObc7y7rwz8a5ozATwfpqZiWYjM34oKFPSj7kwLdA+otx0glGG
# (...)
# 4Kf5vAucZZVe7g==
#-----END CERTIFICATE-----

# Configure Forwarder PEM
cat > ${install_path}/etc/auth/maestrano-certs/forwarder.pem << 'EOFEOFEOF'
[YOUR_COMPANY_FORWARDER_CERTIFICATE]
EOFEOFEOF

# Configure outputs
cat > ${install_path}/etc/system/local/outputs.conf << EOFEOFEOF
[tcpout]
defaultGroup = splunkssl

[tcpout:splunkssl]
server = splunk.maestrano.io:${port}
compressed = true
sslRootCAPath = \$SPLUNK_HOME/etc/auth/maestrano-certs/cacert.pem
sslCertPath = \$SPLUNK_HOME/etc/auth/maestrano-certs/forwarder.pem
sslPassword = password
sslVerifyServerCert = true
EOFEOFEOF

# Configure logrotate
cat > /etc/logrotate.d/splunk << 'EOFEOFEOF'
/opt/splunkforwarder/var/log/splunk/*.log
/opt/splunkforwarder/var/log/introspection/*.log
{
        missingok
        size 10M
        rotate 1
        copytruncate
}
EOFEOFEOF

# Link main folders and binaries
ln -s /opt/splunkforwarder/var/log/splunk /var/log/splunk
ln -s /opt/splunkforwarder/etc /etc/splunk
ln -s /opt/splunkforwarder/bin/splunk /usr/local/bin/splunk

# Start splunk - auto accept everything
/opt/splunkforwarder/bin/splunk start --accept-license --answer-yes --auto-ports --no-prompt

# Finally, enable at boot time
/opt/splunkforwarder/bin/splunk enable boot-start

# Notification
echo " "
echo "Splunk forwarder has been installed and configured"
echo "You can now add logs to be monitored using the following command:"
echo "---"
echo "sudo splunk add monitor <path-to-my-log> -index <splunk-index-to-use> -hostname <hostname-for-this-log> -auth admin:changeme"
echo "E.g: sudo splunk add monitor /var/log/maestrano -index uat-mno-web -hostname appserver1.apse1 -auth admin:changeme"
echo "---"