Before automating the installation, there are some things that needs to be taken care of.
Universal Forwarder requires you to create a splunk administrator username and password during the installation. This can either be entered at prompt during the installation or specified in the installation command line. To get around this, we will be using a user-seed.conf that contains a preconfigured username and password as follows that can be called during the installation. More on that here https://docs.splunk.com/Documentation/Splunk/8.0.5/Security/Secureyouradminaccount
[user_info] USERNAME = admin PASSWORD = <your password>
Playbook is as follows.
- name: Install Universal Forwarder(UF) agent
hosts: ufservers
gather_facts: no
become: yes
tasks:
- name: Get previous versions of UF if installed
shell: rpm -qa | grep splunk
register: oldUFnamerpm
ignore_errors: yes
- debug:
var: oldUFnamerpm
- name: Remove previous version of UF
block:
- name: Remove old splunk from boot script
shell: ./splunk disable boot-start
args:
chdir: /opt/splunkforwarder/bin
- name: Stop old splunk
shell: ./splunk stop
args:
chdir: /opt/splunkforwarder/bin
- name: Uninstall previous version of UF
shell: rpm -e {{ oldUFnamerpm.stdout }}
when: oldUFnamerpm.stdout != ""
ignore_errors: yes
- name: Get old splunk process
shell: netstat -tulpn | grep -i splunkd | awk '{print $7}' | awk -F/ '{print $1}' | head -1
register: oldUFproc
- name: Kill old splunk process
shell: kill -9 {{ oldUFproc.stdout }}
when: oldUFproc.stdout != ""
- name: Remove old splunk dir
file:
path: /opt/splunkforwarder
state: absent
- name: Copy tgz from control server to remote node
copy:
src: /home/yinidu/Linux_UF/splunkforwarder-8.0.0-1357bef0a7f6-Linux-x86_64.tgz
dest: /home/yinidu
- name: Untar tgz
shell: tar xvfz splunkforwarder-8.0.0-1357bef0a7f6-Linux-x86_64.tgz
args:
chdir: /home/yinidu
- name: Move untar file to /opt
shell: mv /home/yinidu/splunkforwarder /opt/
- name: Copy user seed from control server to remote node
copy:
src: /home/yinidu/Linux_UF/user-seed.conf
dest: /opt/splunkforwarder/etc/system/local/user-seed.conf
- name: Install splunk
shell: ./splunk start --accept-license --answer-yes --no-prompt
args:
chdir: /opt/splunkforwarder/bin
- pause:
seconds: 10
- name: Stop splunk
shell: ./splunk stop
args:
chdir: /opt/splunkforwarder/bin
- name: Add splunk user
user:
name: splunk
state: present
- name: Enable boot-start
shell: ./splunk enable boot-start -user splunk
args:
chdir: /opt/splunkforwarder/bin
- name: Change folder permission
shell: chown -R splunk:splunk /opt/splunkforwarder
- name: Start splunk
service:
name: splunk
state: started
- name: Copy org_all_forwarder_outputs which contains heavy forwarder configuration
copy:
src: /home/yinidu/Linux_UF/org_all_forwarder_outputs
dest: /opt/splunkforwarder/etc/apps/
- name: Copy Splunk_TA_nix which contains input parameters
copy:
src: /home/yinidu/Linux_UF/Splunk_TA_nix
dest: /opt/splunkforwarder/etc/apps/
- name: Change folder permission
shell: chown -R splunk:splunk /opt/splunkforwarder
- name: Restart splunk
service:
name: splunk
state: restarted
- name: Set permission on /var/log
shell: setfacl --recursive -m u:splunk:r-x,d:u:splunk:r-x /var/log
- name: Check netstat to make sure UF is connected to the heavy forwarder
shell: netstat -an | grep 9997
register: netstatop
- debug:
var: netstatop.stdout
