haidangwa
commented
3 years ago Hi @JonoRicci,
Sorry for the delayed response. Things have been crazy busy at work. First, the chef-splunk cookbook doesn't officially support Windows, but I can see where it would be useful to setup as a client to ship logs to a Splunk Server, regardless of the platform.
For my project at work, I created a wrapper cookbook that sets attributes needed to setup a SplunkForwarder. Specifically, these attributes are for my organization, so nothing that I can share here. However, I found that wrapping the chef-splunk cookbook and setting attributes specifically for a Splunk Forwarder install was a way to distribute it to my internal customers without exposing them to all the server-specific internals of the chef-splunk cookbook.
Some of the attributes that I set in my wrapper cookbook for splunk UF installation are:
default['chef-vault']['databag_fallback'] = true
default['splunk']['accept_license'] = true
default['splunk']['forwarder'] = {
'url' => value_for_platform_family(
%w(rhel fedora suse amazon) => 'https://download.splunk.com/products/universalforwarder/releases/8.0.4/linux/splunkforwarder-8.0.4-767223ac207f-linux-2.6-x86_64.rpm',
'debian' => 'https://download.splunk.com/products/universalforwarder/releases/8.0.4/linux/splunkforwarder-8.0.4-767223ac207f-linux-2.6-amd64.deb',
'windows' => 'https://download.splunk.com/products/universalforwarder/releases/8.0.4/windows/splunkforwarder-8.0.4-767223ac207f-x64-release.msi'
),
'version' => '8.0.4',
}
default['twdc_splunk_client']['deployment_client_name'] = node.name
default['twdc_splunk_client']['deployment_server_client_endpoint'] = 'your.deployment-server.endpoint.com:8089'We also install a custom Splunk app that merely consists of a deploymentclient.conf.erb to configure the UF for our internal deployment server endpoint.
recipes/default.rb:
node.override['splunk']['is_server'] = false
chef_gem 'iniparse'
require 'iniparse'
%w(user install_forwarder).each do |r|
include_recipe "chef-splunk::#{r}"
end
splunk_app 'deploymentclient_base' do
templates ['deploymentclient.conf.erb']
template_variables(
'deploymentclient.conf.erb' => {
'deployment_client_name' => node['deployment_client_name'],
'deployer_url' => node['deployment_server_client_endpoint'],
}
)
remote_directory 'deploymentclient_base'
action :install
notifies :restart, 'service[splunk]'
end
Myself and @jjm have a need to install the Splunk Universal Forwarder on Windows.
I am planning to submit a pull request soon but I thought I would raise an issue to start a discussion in case there are any details or thoughts we are missing.
Desired Behaviour
The
chef-splunkcookbook will install only the Universal Forwarder on:We only desire to install the Universal Forwarder and not the Splunk server.
At this moment I'm unsure if I need to make additional changes if sending data to Splunk Cloud rather than Splunk Enterprise, and whether that's in the scope of this cookbook.
References