Issue with services when using forwarder and indexer on the same server

[Vincent--]

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: 3.8.7
• Ruby: ruby 1.9.3p484 (2013-11-22 revision 43786) [x86_64-linux]
• Distribution: Linux siem 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:07:32 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
• Module version: 5.0.1

How to reproduce (e.g Puppet code you use)

Install both splunk forwarder and splunk server

What are you seeing

The install is ok but the corresponding services are not created properly There is only one service in /etc/init.d with the name splunk and it corresponds to the first service that has been installed during the installation (so it might be splunk-forwarder or splunk-server depending on the order you call the 2 classes)

In my case every times I changed configuration files related to splunk server, this was the splunk forwarder which was restarted (takes me ages to understand why my new settings werent taken into account)

What behaviour did you expect instead

Puppet should manage the 2 services independently : one to restart splunk-forwarder and one to restart splunk-server

Output log

Any additional information you'd like to impart

The corresponding resources declare the same file so that couldn't work

  @exec { 'enable_splunkforwarder':
    # The path parameter can't be set because the boot-start silently fails on systemd service providers
    command => "${splunk::params::forwarder_dir}/bin/splunk enable boot-start -user ${splunk_user}",
    creates => '/etc/init.d/splunk',
    require => Exec['license_splunkforwarder'],
    tag     => 'splunk_forwarder',
    notify  => Service['splunk'],
  }

When the first exec has run, the second exec below is never executed as the '/etc/init.d/splunk' file already exists.

  @exec { 'enable_splunk':
    # The path parameter can't be set because the boot-start silently fails on systemd service providers
    command => "${splunk::params::server_dir}/bin/splunk enable boot-start -user ${splunk_user}",
    creates => '/etc/init.d/splunk',
    require => Exec['license_splunk'],
    tag     => 'splunk_server',
  }

[TraGicCode]

@Vincent-- Can you explain your use case for having an installation of splunk enterprise + universal forwarder on the same machine? Installing a splunk enterprise instance by default allows you to monitor local data.

[jonwalthour]

@TraGicCode — you’d want to install a forwarder on a Splunk Enterprise instance because you’d never want to run Enterprise as root (a big attack vector for bad guys). However, there a some important logs and processes that are just not accessible to a non-root user. So, you’d run the forwarder as root.