@MichaelE thanks for the tips! Posted by rachel on Aug 26 2008, 10:45am
Some tips on installing a Windows Forwarder only server:
The Objective: Install a forward only Splunk instance on a Windows server
Requisites:
- Forwarder License
- Admin Level access to Server being configured
- Network share to house install files
Preparation:
- Create a network share (\\sharingserver\splunk)
- Place splunk install file into that share (in this example - splunk-3.3.1-39933-release.msi)
- Place a copy of your forwarder licence file there as well (name it splunk.license)
Overview:
Rather than having to manually configure this all via the GUI, with this process I've managed to limit the GUI interaction to only the installation of the Splunk MSI file. The following commands can be executed via the CMD shell.
This start the installation of the server. You will need to click through the screens selecting the appropriate options for your installation. Hopefully I'll be able to figure out if this package will accept transforms and then I can also add that. At the end of the install go ahead and allow splunkd to start but you don't need to start the web interface.
At this point splunk will behave like a licensed version and that means that the admin password will have changed. We need to set that to somethingsensible (yeah, that means you should pick something sensible to replace that with) and it will be re-used throughout the rest of the commands:
This resets the password to 'somethingsensible'
"c:\program files\splunk\bin\splunk.exe" edit user admin -password somethingsensible -auth admin:changeme
This adds a forward-server called 'splunk.yourcompany.com' that listens on port 9997
"c:\program files\splunk\bin\splunk.exe" add forward-server splunk.yourcompany.com:9997 -auth admin:somethingsensible
This sets the server you're configuring to be a forward only server
"c:\program files\splunk\bin\splunk.exe" set server-type forwarder -auth admin:somethingsensible
This disables the webserver
"c:\program files\splunk\bin\splunk.exe" disable webserver -auth admin:somethingsensible
This restarts the splunkd
"c:\program files\splunk\bin\splunk.exe" restart splunkd -auth admin:somethingsensible
After this I recommend visiting the Services control panel applet and setting Splunkd to automatically start and also some sensible recovery parameters.
I'll continue to hone this but I wanted to share what I had for now.
Michael EraƱa, CISA, CISSP Posted by MichaelE on Aug 26 2008, 4:49am
Comments
@MichaelE thanks for the tips!
Posted by rachel on Aug 26 2008, 10:45am
Some tips on installing a Windows Forwarder only server:
The Objective: Install a forward only Splunk instance on a Windows server
Requisites:
- Forwarder License
- Admin Level access to Server being configured
- Network share to house install files
Preparation:
- Create a network share (\\sharingserver\splunk)
- Place splunk install file into that share (in this example - splunk-3.3.1-39933-release.msi)
- Place a copy of your forwarder licence file there as well (name it splunk.license)
Overview:
Rather than having to manually configure this all via the GUI, with this process I've managed to limit the GUI interaction to only the installation of the Splunk MSI file. The following commands can be executed via the CMD shell.
"\\sharingserver\splunk\splunk-3.3.1-39933-release.msi"
This start the installation of the server. You will need to click through the screens selecting the appropriate options for your installation. Hopefully I'll be able to figure out if this package will accept transforms and then I can also add that. At the end of the install go ahead and allow splunkd to start but you don't need to start the web interface.
Next copy the license file and restart splunkd.
copy "\\sharingserver\splunk\splunk.license" "c:\program files\splunk\etc\splunk.license"
"c:\program files\splunk\bin\splunk.exe" restart splunkd
At this point splunk will behave like a licensed version and that means that the admin password will have changed. We need to set that to somethingsensible (yeah, that means you should pick something sensible to replace that with) and it will be re-used throughout the rest of the commands:
This resets the password to 'somethingsensible'
"c:\program files\splunk\bin\splunk.exe" edit user admin -password somethingsensible -auth admin:changeme
This adds a forward-server called 'splunk.yourcompany.com' that listens on port 9997
"c:\program files\splunk\bin\splunk.exe" add forward-server splunk.yourcompany.com:9997 -auth admin:somethingsensible
This sets the server you're configuring to be a forward only server
"c:\program files\splunk\bin\splunk.exe" set server-type forwarder -auth admin:somethingsensible
This disables the webserver
"c:\program files\splunk\bin\splunk.exe" disable webserver -auth admin:somethingsensible
This restarts the splunkd
"c:\program files\splunk\bin\splunk.exe" restart splunkd -auth admin:somethingsensible
After this I recommend visiting the Services control panel applet and setting Splunkd to automatically start and also some sensible recovery parameters.
I'll continue to hone this but I wanted to share what I had for now.
Michael EraƱa, CISA, CISSP
Posted by MichaelE on Aug 26 2008, 4:49am