chef-splunk icon indicating copy to clipboard operation
chef-splunk copied to clipboard
verified publisher icon sous-chefs

Implementing Windows Support for Client Only

Open JonoRicci opened this issue 5 years ago • 1 comments

Myself and @jjm have a need to install the Splunk Universal Forwarder on Windows.

I am planning to submit a pull request soon but I thought I would raise an issue to start a discussion in case there are any details or thoughts we are missing.

Desired Behaviour

The chef-splunk cookbook will install only the Universal Forwarder on:

  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019

We only desire to install the Universal Forwarder and not the Splunk server.

At this moment I'm unsure if I need to make additional changes if sending data to Splunk Cloud rather than Splunk Enterprise, and whether that's in the scope of this cookbook.

References

JonoRicci avatar Nov 09 '20 10:11 JonoRicci

Hi @JonoRicci,

Sorry for the delayed response. Things have been crazy busy at work. First, the chef-splunk cookbook doesn't officially support Windows, but I can see where it would be useful to setup as a client to ship logs to a Splunk Server, regardless of the platform.

For my project at work, I created a wrapper cookbook that sets attributes needed to setup a SplunkForwarder. Specifically, these attributes are for my organization, so nothing that I can share here. However, I found that wrapping the chef-splunk cookbook and setting attributes specifically for a Splunk Forwarder install was a way to distribute it to my internal customers without exposing them to all the server-specific internals of the chef-splunk cookbook.

Some of the attributes that I set in my wrapper cookbook for splunk UF installation are:

default['chef-vault']['databag_fallback'] = true
default['splunk']['accept_license'] = true
default['splunk']['forwarder'] = {
  'url' => value_for_platform_family(
    %w(rhel fedora suse amazon) => 'https://download.splunk.com/products/universalforwarder/releases/8.0.4/linux/splunkforwarder-8.0.4-767223ac207f-linux-2.6-x86_64.rpm',
    'debian' => 'https://download.splunk.com/products/universalforwarder/releases/8.0.4/linux/splunkforwarder-8.0.4-767223ac207f-linux-2.6-amd64.deb',
    'windows' => 'https://download.splunk.com/products/universalforwarder/releases/8.0.4/windows/splunkforwarder-8.0.4-767223ac207f-x64-release.msi'
  ),
  'version' => '8.0.4',
}

default['twdc_splunk_client']['deployment_client_name'] = node.name
default['twdc_splunk_client']['deployment_server_client_endpoint'] = 'your.deployment-server.endpoint.com:8089'

We also install a custom Splunk app that merely consists of a deploymentclient.conf.erb to configure the UF for our internal deployment server endpoint.

recipes/default.rb:

node.override['splunk']['is_server'] = false

chef_gem 'iniparse'
require 'iniparse'

%w(user install_forwarder).each do |r|
  include_recipe "chef-splunk::#{r}"
end

splunk_app 'deploymentclient_base' do
  templates ['deploymentclient.conf.erb']
  template_variables(
    'deploymentclient.conf.erb' => {
      'deployment_client_name' => node['deployment_client_name'],
      'deployer_url' => node['deployment_server_client_endpoint'],
    }
  )
  remote_directory 'deploymentclient_base'
  action :install
  notifies :restart, 'service[splunk]'
end

haidangwa avatar Nov 17 '20 01:11 haidangwa