Escolar Documentos
Profissional Documentos
Cultura Documentos
1
Distributed Deployment Manual
Generated: 3/06/2012 3:10 pm
Table of Contents
Overview....................................................................................................................................................1 Distributed Splunk overview............................................................................................................1 How data moves through Splunk: the data pipeline........................................................................4 Scale your deployment: Splunk components..................................................................................5 Components and roles....................................................................................................................7 Forward data ............................................................................................................................................11 About forwarding and receiving.....................................................................................................11 Types of forwarders .......................................................................................................................11 Forwarder deployment topologies.................................................................................................14 Configure forwarding ..............................................................................................................................18 Set up forwarding and receiving....................................................................................................18 Enable a receiver..........................................................................................................................19 Configure forwarders with outputs.conf.........................................................................................23 Protect against loss of in-flight data..............................................................................................28 Use the forwarder to create deployment topologies...........................................................................34 Consolidate data from multiple machines.....................................................................................34 Route and filter data......................................................................................................................35 Forward data to third-party systems..............................................................................................46 Deploy the universal forwarder.............................................................................................................50 Introducing the universal forwarder...............................................................................................50 Universal forwarder deployment overview....................................................................................51 Deploy a Windows universal forwarder manually ..........................................................................55 Deploy a Windows universal forwarder via the commandline.......................................................59 Remotely deploy a Windows universal forwarder with a static configuration................................69 Deploy a *nix universal forwarder manually..................................................................................70 Remotely deploy a *nix universal forwarder with a static configuration .........................................74 Make a universal forwarder part of a system image ......................................................................80 Migrate a Windows light forwarder................................................................................................82 Migrate a *nix light forwarder........................................................................................................83 . Upgrade the Windows universal forwarder...................................................................................84 Upgrade the universal forwarder for *nix systems .........................................................................86 Supported CLI commands .............................................................................................................88 Deploy heavy and light forwarders.......................................................................................................90 Deploy a heavy or light forwarder.................................................................................................90 . Heavy and light forwarder capabilities ...........................................................................................93 Search across multiple indexers...........................................................................................................96 What is distributed search?...........................................................................................................96 Install a dedicated search head .....................................................................................................99 Configure distributed search.......................................................................................................100
i
Table of Contents
Search across multiple indexers Mount the knowledge bundle......................................................................................................105 Configure search head pooling...................................................................................................112 Use distributed search .................................................................................................................118 Monitor your deployment.....................................................................................................................119 About the deployment monitor....................................................................................................119 Explore your deployment............................................................................................................121 . Troubleshoot your deployment....................................................................................................122 Drill for details ..............................................................................................................................124 Upgrade your deployment...................................................................................................................126 . Upgrade your distributed environment........................................................................................126 Deploy updates across your environment.........................................................................................131 About deployment server............................................................................................................131 Plan a deployment......................................................................................................................133 . Define server classes..................................................................................................................134 Configure deployment clients......................................................................................................142 Deploy in multi-tenant environments...........................................................................................146 Deploy apps and configurations..................................................................................................147 Extended example: deploy several forwarders...........................................................................149 Example: add an input to forwarders ...........................................................................................156 Example: deploy an app..............................................................................................................157
ii
Overview
Distributed Splunk overview
In single-machine deployments, one instance of Splunk handles the entire end-to-end process, from data input through indexing to search. A single-machine deployment can be useful for testing and evaluation purposes and might serve the needs of department-sized environments. For larger environments, however, where data originates on many machines and where many users need to search the data, you'll want to distribute functionality across multiple Splunk instances. This manual describes how to deploy and use Splunk in such a distributed environment.
As you scale up, you can add more forwarders and indexers. For a larger deployment, you might have hundreds of forwarders sending data to a number of indexers. You can configure load balancing on the forwarders, so that they distribute their data across some or all of the indexers. Not only does load balancing help with scaling, but it also provides a fail-over capability if one of the indexers goes down. The forwarders will automatically switch and start sending their data to any indexers that remain alive. In this diagram, each forwarder load-balances its data across two indexers:
To coordinate search activities across multiple indexers, you can also separate out the functions of indexing and searching. In this type of deployment, called distributed search, the indexers might just index data. A Splunk instance dedicated to searching, called the search head, then runs searches across the set of indexers, consolidating the results and presenting them to the user:
For the largest environments, you can deploy a pool of several search heads sharing a single configuration set. With search head pooling, you can coordinate numerous simultaneous searches across a large number of indexers:
These diagrams illustrate a few basic deployment topologies. You can actually combine the Splunk functions of data input, indexing, and search in a great variety of ways. For example, you can set up the forwarders so that they route data to multiple indexers, based on specified criteria. You can also configure forwarders to index locally before sending the data on to an indexer. In another scenario, you can deploy a single Splunk instance that serves as both search head and indexer, searching across not only its own indexes but the indexes on other Splunk indexers as well. You can mix-and-match Splunk components as needed. The possible scenarios are nearly limitless. This manual describes how to scale a deployment to fit your exact needs, whether you're managing data for a single department or for a global enterprise... or for anything in between.
For information on capacity planning based on the scale of your deployment, read "Hardware capacity planning for your Splunk deployment" in the Installation manual.
Splunk instances participate in one or more segments of the data pipeline, as described in "Scale your deployment". Note: The diagram represents a simplified view of the indexing architecture. It provides a functional view of the architecture and does not fully describe Splunk internals. In particular, the parsing pipeline actually consists of three pipelines: parsing, merging, and typing, which together handle the parsing function. The distinction can matter during troubleshooting, but does not generally affect how you configure or deploy Splunk.
Input
In the input segment, Splunk consumes data. It acquires the raw data stream from its source, breaks it into 64K blocks, and annotates each block with some metadata keys. The keys apply to the entire input source overall. They include the host, source, and source type of the data. The keys can also include values that are used internally by Splunk, such as the character encoding of the data stream, and values that control later processing of the data, such as the index into which the events should be stored. During this phase, Splunk does not look at the contents of the data stream, so the keys apply to the entire source, not to individual events. In fact, at this point, Splunk has no notion of individual events at all, only of a stream of data with certain global properties.
Parsing
During the parsing segment, Splunk examines, analyzes, and transforms the data. This is also known as event processing. The parsing phase has many sub-phases: Breaking the stream of data into individual lines. Identifying, parsing, and setting timestamps. Annotating individual events with metadata copied from the source-wide keys. Transforming event data and metadata according to Splunk regex transform rules.
Indexing
During indexing, Splunk takes the parsed events and writes them to the search index on disk. It writes both compressed raw data and the corresponding index files. For brevity, parsing and indexing are often referred together as the indexing process. At a high level, that's fine. But when you need to look more closely at the actual processing of data, it can be important to consider the two segments individually.
Search
Splunk's search function manages all aspects of how the user sees and uses the indexed data, including interactive and scheduled searches, reports and charts, dashboards, and alerts. As part of its search function, Splunk stores user-created knowledge objects, such as saved searches, event types, views, and field extractions. For more information on the various steps in the pipeline, see "How indexing works".
create most components by enabling or disabling specific functions of the full Splunk instance. These are the Splunk component types available for use in a distributed environment: Indexer Forwarder Search head Deployment server All components are variations of the full Splunk instance, with certain features either enabled or disabled, except for the universal forwarder, which is its own executable.
Indexers
In a single-machine deployment consisting of just one Splunk instance, the Splunk indexer also handles data input and search requests. For mid-to-enterprise scale needs, on the other hand, indexing is split out from the data input function and sometimes from the search function as well. In these larger, distributed deployments, the Splunk indexer might reside on its own machine and handle only indexing (usually along with parsing). In that case, other Splunk components take over the non-indexing/parsing roles. For information on indexers, see the Admin manual, starting with the topic "What's a Splunk index?".
Forwarders
One role that's typically split off from the indexer is the data input function. For instance, you might have a group of Windows and Linux machines generating data that needs to go to a central Splunk indexer for consolidation. Usually the best way to do this is to install a lightweight instance of Splunk, known as a forwarder, on each of the data-generating machines. These forwarders manage the data input and send the resulting data streams across the network to a Splunk indexer, which resides on its own machine. There are two types of forwarders: Universal forwarders. These have a very light footprint and forward only unparsed data. Heavy forwarders. These have a larger footprint but can parse, and even index, data before forwarding it. Note: There is also a third type of forwarder, the light forwarder. The light forwarder is essentially obsolete, having being replaced in release 4.2 by the universal forwarder, which provides similar functionality in a smaller footprint. For information on forwarders, start with the topic "About forwarding and receiving".
Search heads
Similarly, in cases where you have a large amount of indexed data and numerous users concurrently searching on it, it can make sense to distribute the indexing load across several indexers, while offloading the search query function to a separate machine. In this type of scenario, known as distributed search, one or more Splunk components called search heads distribute search requests
6
across multiple indexers. For information on search heads, see "What is distributed search?".
Deployment server
To update a distributed deployment, you can use Splunk's deployment server. The deployment server lets you push out configurations and content to sets of Splunk instances (referred to, in this context, as deployment clients), grouped according to any useful criteria, such as OS, machine type, application area, location, and so on. The deployment clients are usually forwarders or indexers. For example, once you've made and tested an updated configuration on a local Linux forwarder, you can push the changes to all the Linux forwarders in your deployment. The deployment server can cohabit a Splunk instance with another Splunk component, either a search head or an indexer, if your deployment is small (less than around 30 deployment clients). It should run on its own Splunk instance in larger deployments. For more information, see this tech note on the Community Wiki. For detailed information on the deployment server, see "About deployment server".
Deployment monitor
Although it's actually an app, not a Splunk component, the deployment monitor has an important role to play in distributed environments. Distributed deployments can scale to forwarders numbering into the thousands, sending data to many indexers, which feed multiple search heads. To view and troubleshoot these distributed deployments, you can use the deployment monitor, which provides numerous views into the state of your forwarders and indexers. For detailed information on the deployment monitor, see "About deployment monitor".
Where to go next
While the fundamental issues of indexing and event processing remain the same no matter what the size or nature of your distributed deployment, it is important to take into account deployment needs when planning your indexing strategy. To do that effectively, you must also understand how components map to roles. For guidelines on scaling your deployment, see "Hardware capacity planning for your Splunk deployment".
Splunk component
Data input
heavy forwarder
indexer indexer
search head deployment server deployment monitor app (not actually a component, but rather a key feature for managing distributed environments)
As you can see, some roles can be filled by diffferent components depending on the situation. For instance, data input can be handled by an indexer in single-machine deployments, or by a forwarder in larger deployments. For more information on components, look here.
Components in action
These are some of the common ways in which Splunk functionality is distributed and managed. Forward data to an indexer In this deployment scenario, forwarders handle data input, collecting data and send it on to a Splunk indexer. Forwarders come in two flavors: Universal forwarders. These maintain a small footprint on their host machine. They perform minimal processing on the incoming data streams before forwarding them on to an indexer, also known as the receiver. Heavy forwarders. These retain much of the functionality of a full Splunk instance. They can parse data before forwarding it to the receiving indexer. (See "How data moves through Splunk" for the distinction between parsing and indexing.) Both types of forwarders tag data with metadata such as host, source, and source type, before forwarding it on to the indexer.
Note: There is also a third type of forwarder, the light forwarder. The light forwarder is essentially obsolete, having being replaced in release 4.2 by the universal forwarder, which provides similar functionality in a smaller footprint. Forwarders allow you to use resources efficiently while processing large quantities or disparate types of data. They also enable a number of interesting deployment topologies, by offering capabilities for load balancing, data filtering, and routing. For an extended discussion of forwarders, including configuration and detailed use cases, see "About forwarding and receiving". Search across multiple indexers In distributed search, Splunk instances send search requests to other Splunk instances and merge the results back to the user. This is useful for a number of purposes, including horizontal scaling, access control, and managing geo-dispersed data. The Splunk instance that manages search requests is called the search head. The instances that maintain the indexes and perform the actual searching are indexers, called search peers in this context. For an extended discussion of distributed search, including configuration and detailed use cases, see "What is distributed search?". Manage distributed updates When dealing with distributed deployments consisting potentially of many forwarders, indexers, and search heads, the Splunk deployment server simplifies the process of configuring and updating Splunk components, mainly forwarders and indexers. Using the deployment server, you can group the components (referred to as deployment clients in this context) into server classes, making it possible to push updates based on common characteristics. A server class is a set of Splunk instances that share configurations. Server classes are typically grouped by OS, machine type, application area, location, or other useful criteria. A single deployment client can belong to multiple server classes, so a Linux universal forwarder residing in the UK, for example, might belong to a Linux server class and a UK server class, and receive configuration settings appropriate to each. For an extended discussion of deployment management, see "About deployment server". View and troubleshoot your deployment Use the deployment monitor app to view the status of your Splunk components and troubleshoot them. The deployment monitor is functionally part of the search role, so it resides with either the indexer or a search head. It looks at internal events generated by Splunk forwarders and indexers. The home page for this app is a dashboard that provides charts with basic stats on index throughput and forwarder connections over time. It also includes warnings for unusual conditions, such as forwarders that appear to be missing from the system or indexers that aren't currently indexing any data.
The charts, warnings, and other information on this page provide an easy way to monitor potentially serious conditions. The page itself provides guidance on what each type of warning means. The deployment monitor also provides pages that consolidate data for all forwarders and indexers in your deployment. You can drilldown further, to obtain detailed information on any forwarder or indexer. For more information on the deployment monitor, see "About the deployment monitor".
10
Forward data
About forwarding and receiving
You can forward data from one Splunk instance to another Splunk server or even to a non-Splunk system. The Splunk instance that performs the forwarding is typically a smaller footprint version of Splunk, called a forwarder. A Splunk instance that receives data from one or more forwarders is called a receiver. The receiver is usually a Splunk indexer, but can also be another forwarder, as described here. This diagram shows three forwarders sending data to a single Splunk receiver (an indexer), which then indexes the data and makes it available for searching:
Forwarders represent a much more robust solution for data forwarding than raw network feeds, with their capabilities for: Tagging of metadata (source, source type, and host) Configurable buffering Data compression SSL security Use of any available network ports The forwarding and receiving capability makes possible all sorts of interesting Splunk topologies to handle functions like data consolidation, load balancing, and data routing. For more information on the types of deployment topologies that you can create with forwarders, see "Forwarder deployment topologies". Splunk provides a number of types of forwarders to meet various needs. These are described in "Types of forwarders".
Types of forwarders
There are three types of forwarders:
11
The universal forwarder is a streamlined, dedicated version of Splunk that contains only the essential components needed to forward data to receivers. A heavy forwarder is a full Splunk instance, with some features disabled to achieve a smaller footprint. A light forwarder is also a full Splunk instance, with most features disabled to achieve as small a footprint as possible. The universal forwarder, with its even smaller footprint yet similar functionality, supersedes the light forwarder for nearly all purposes. In nearly all respects, the universal forwarder represents the best tool for forwarding data to indexers. Its main limitation is that it forwards only unparsed data, as described later in this topic. Therefore, you cannot use it to route data based on event contents. For that, you must use a heavy forwarder. You also cannot index data locally on a universal forwarder; only a heavy forwarder can index and forward.
forwarders with outputs.conf" in this manual for details. A light forwarder has a smaller footprint with much more limited functionality. It forwards only unparsed data. Starting with 4.2, it has been superseded by the universal forwarder, which provides very similar functionality in a smaller footprint. The light forwarder continues to be available mainly to meet any legacy needs. We recommend that you always use the universal forwarder to forward unparsed data. When you install a universal forwarder, the installer gives you the opportunity to migrate checkpoint settings from any (version 4.0 or greater) light forwarder residing on the same machine. See "Introducing the universal forwarder" for a more detailed comparison of the universal and light forwarders. For detailed information on the capabilities of heavy and light forwarders, see "Heavy and light forwarder capabilities". To learn how to enable and deploy a heavy or light forwarder, see "Deploy a heavy or light forwarder".
Forwarder comparison
This table summarizes the similarities and differences among the three types of forwarders: Features and capabilities
Type of Splunk instance Footprint (memory, CPU load) Bundles Python? Handles data inputs? Forwards to Splunk? Forwards to 3rd party systems? Serves as intermediate forwarder? Indexer acknowledgment (guaranteed delivery)? Load balancing? Data cloning? Per-event filtering? Event routing? Event parsing? Local indexing?
Universal forwarder
Dedicated executable Smallest No All types (but scripted inputs might require Python installation) Yes Yes Yes Optional Yes Yes No No No No
Light forwarder
Full Splunk, with most features disabled Small Yes All types Yes Yes Yes Optional (version 4.2+) Yes Yes No No No No
Heavy forwarder
Full Splunk, with some features disabled Medium-to-large (depending on enabled features) Yes All types Yes Yes Yes Optional (version 4.2+) Yes Yes Yes Yes Yes Optional, by setting indexAndForward attribute in outputs.conf
13
No No
No No
Optional Optional
For detailed information on specific capabilities, see the rest of this topic, as well as the other forwarding topics in the manual.
Data consolidation
Data consolidation is one of the most common topologies, with multiple forwarders sending data to a single Splunk server. The scenario typically involves universal forwarders forwarding unparsed data from workstations or production non-Splunk servers to a central Splunk server for consolidation and indexing.
14
With their lighter footprint, universal forwarders have minimal impact on the performance of the systems they reside on. In other scenarios, heavy forwarders can send parsed data to a central Splunk indexer. Here, three universal forwarders are sending data to a single Splunk indexer:
For more information on data consolidation, read "Consolidate data from multiple machines".
Load balancing
Load balancing simplifies the process of distributing data across several Splunk indexers to handle considerations such as high data volume, horizontal scaling for enhanced search performance, and fault tolerance. In load balancing, the forwarder routes data sequentially to different indexers at specified intervals. Splunk forwarders perform automatic load balancing, in which the forwarder switches receivers at set time intervals. If parsing is turned on (for a heavy forwarder), the switching will occur at event boundaries. In this diagram, three universal forwarders are each performing load balancing between two indexers:
15
For more information on routing and filtering, read "Route and filter data".
For more information on forwarding to non-Splunk systems, read "Forward data to third-party systems".
16
Intermediate forwarding
To handle some advanced use cases, you might want to insert an intermediate forwarder between a group of forwarders and the indexer. In this type of scenario, the end-point forwarders send data to a consolidating forwarder, which then forwards the data on to an indexer, usually after indexing it locally. Typical use cases are situations where you need an intermediate index, either for "store-and-forward" requirements or to enable localized searching. (In this case, you would need to use a heavy forwarder.) You can also use an intermediate forwarder if you have some need to limit access to the indexer machine; for instance, for security reasons. To enable intermediate forwarding, you need to configure the forwarder as a both a forwarder and a receiver. For information on how to configure a receiver, read "Enable a receiver".
17
Configure forwarding
Set up forwarding and receiving
Once you've determined your Splunk forwarder deployment topology and what type of forwarder is necessary to implement it, the steps for setting up forwarding and receiving are straightforward. This topic outlines the key steps and provides links to the detailed topics. To set up forwarding and receiving, you need to perform two basic actions, in this order: 1. Set up one or more Splunk indexers as receivers. These will receive the data from the forwarders. 2. Set up one or more Splunk forwarders. These will forward data to the receivers. The remainder of this topic lists the key steps involved, with links to more detailed topics. The procedures vary somewhat according to whether the forwarder is a universal forwarder or a heavy/light forwarder. Universal forwarders can sometimes be installed and configured in a single step. Heavy/light forwarders are first installed as full Splunk instances and then configured as forwarders. Note: This topic assumes that your receivers are indexers. However, in some scenarios, discussed elsewhere, a forwarder also serves as receiver. The set-up is basically much the same for any kind of receiver.
18
Enable a receiver
To enable forwarding and receiving, you configure both a receiver and a forwarder. The receiver is the Splunk instance receiving the data; the forwarder sends data to the receiver. Depending on your needs (for example to enable load balancing), you might have multiple receivers for each forwarder. Conversely, a single receiver usually receives data from many forwarders. The receiver is either a Splunk indexer (the typical case) or another forwarder (referred to as an "intermediate forwarder") configured to receive data from forwarders. You must set up the receiver first. You can then set up forwarders to send data to that receiver.
All 4.0.x, 4.1.x, and 4.2.x forwarders can send data to any 3.4.14 or later indexer. We do not support using 3.4.14 or later forwarders to send data to 3.4.13 or earlier indexers, although some combinations might be valid. All indexers are backward compatible with any forwarder: Indexers of any version can always receive data from any earlier version forwarder. For example, a 4.2 indexer can receive data from a 3.4 forwarder.
Set up receiving
Before enabling a Splunk instance (either an indexer or a forwarder) as a receiver you must, of course, first install it. You can then enable receiving on a Splunk instance through Splunk Web, the CLI, or the inputs.conf configuration file. Set up receiving with Splunk Web Use Splunk Manager to set up a receiver: 1. Log into Splunk Web as admin on the server that will be receiving data from a forwarder. 2. Click the Manager link in the upper right corner. 3. Select Forwarding and receiving in the Data area. 4. Click Add new in the Receive data section. 5. Specify which TCP port you want the receiver to listen on (the listening port). For example, if you enter "9997," the receiver will receive data on port 9997. By convention, receivers listen on port 9997, but you can specify any unused port. You can use a tool like netstat to determine what ports are available on your system. Make sure the port you select is not in use by splunkweb or splunkd. 6. Click Save. You must restart Splunk to complete the process. Set up receiving with Splunk CLI To access the CLI, first navigate to $SPLUNK_HOME/bin/. This is unnecessary if you have added Splunk to your path. To enable receiving, enter:
For <port>, substitute the port you want the receiver to listen on (the listening port). For example, if you enter "9997," the receiver will receive data on port 9997. By convention, receivers listen on port 9997, but you can specify any unused port. You can use a tool like netstat to determine what ports are
20
available on your system. Make sure the port you select is not in use by splunkweb or splunkd. To disable receiving, enter:
Set up receiving with the configuration file You can enable receiving on your Splunk instance by configuring inputs.conf in $SPLUNK_HOME/etc/system/local. For most purposes, you just need to add a [splunktcp] stanza that specifies the listening port. In this example, the listening port is 9997:
[splunktcp://9997]
For further details, refer to the inputs.conf spec file. To configure a universal forwarder as an intermediate forwarder (a forwarder that functions also as a receiver), use this method.
21
Important: After you have downloaded the relevant OS app, remove its inputs.conf file before enabling the app, to ensure that its default inputs are not added to your indexer. For the Windows app, the location is: %SPLUNK_HOME%\etc\apps\windows\default\inputs.conf. In summary, you only need to install the app for the forwarder's OS on the receiver (or search head) if it will be performing searches on the forwarded OS data.
splunkd.log:03-01-2010 13:35:28.653 ERROR TcpInputFd routines:SSL23_GET_CLIENT_HELLO:unknown protocol splunkd.log:03-01-2010 13:35:28.653 ERROR TcpInputFd splunkd.log:03-01-2010 13:35:28.653 ERROR TcpInputFd HOST:localhost.localdomain, IP:127.0.0.1, PORT:53075 splunkd.log:03-01-2010 13:35:28.653 ERROR TcpInputFd routines:SSL23_GET_CLIENT_HELLO:unknown protocol splunkd.log:03-01-2010 13:35:28.653 ERROR TcpInputFd splunkd.log:03-01-2010 13:35:28.653 ERROR TcpInputFd HOST:localhost.localdomain, IP:127.0.0.1, PORT:53076 splunkd.log:03-01-2010 13:35:28.653 ERROR TcpInputFd routines:SSL23_GET_CLIENT_HELLO:unknown protocol splunkd.log:03-01-2010 13:35:28.654 ERROR TcpInputFd splunkd.log:03-01-2010 13:35:28.654 ERROR TcpInputFd HOST:localhost.localdomain, IP:127.0.0.1, PORT:53077 splunkd.log:03-01-2010 13:35:28.654 ERROR TcpInputFd routines:SSL23_GET_CLIENT_HELLO:unknown protocol splunkd.log:03-01-2010 13:35:28.654 ERROR TcpInputFd
- SSL Error = error:140760FC:SSL - ACCEPT_RESULT=-1 VERIFY_RESULT=0 - SSL Error for fd from - SSL Error = error:140760FC:SSL - ACCEPT_RESULT=-1 VERIFY_RESULT=0 - SSL Error for fd from - SSL Error = error:140760FC:SSL - ACCEPT_RESULT=-1 VERIFY_RESULT=0 - SSL Error for fd from - SSL Error = error:140760FC:SSL - ACCEPT_RESULT=-1 VERIFY_RESULT=0
Closed receiving socket If a receiving indexer's queues become full, it will close the receiving socket, to prevent additional forwarders from connecting to it. If a forwarder with load-balancing enabled can no longer forward to that receiver, it will send its data to another indexer on its list. If the fowarder does not employ load-balancing, it will hold the data until the problem is resolved. The receiving socket will reopen automatically when the queue gets unclogged. Typically, a receiver gets behind on the dataflow because it can no longer write data due to a full disk or because it is itself attempting to forward data to another Splunk instance that is not accepting data. The following warning message will appear in splunkd.log if the socket gets blocked:
Stopping all listening ports. Queues blocked for more than N seconds.
22
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has around configuring forwarding.
Configuration levels
There are two types of output processors: tcpout and syslog. You can configure them at three levels of stanzas: Global. At the global level, you specify any attributes that you want to apply globally, as well as certain attributes only configurable at the system-wide level for the output processor. This stanza is optional. Target group. A target group defines settings for one or more receiving indexers. There can be multiple target groups per output processor. Most configuration settings can be specified at the target group level. Single server. You can specify configuration values for single servers (receivers) within a target group. This stanza type is optional. Configurations at the more specific level take precedence. For example, if you specify compressed=true for a single receiver, the forwarder will send that receiver compressed data, even if compressed is set to "false" for the receiver's target group. Note: This discussion focuses on the tcpout processor, which uses the [tcpout] header. For the syslog output processor, see "Forward data to third-party systems" for details. Global stanza Here you set any attributes that you want to apply globally. There are also two attributes that you can set only at the global level: defaultGroup and indexAndForward. The global stanza for the tcpout procesor is specified with the [tcpout] header. Here's an example of a global tcpout stanza:
This global stanza includes two attribute/value pairs: defaultGroup=indexer1 This tells the forwarder to send all data to the "indexer1" target group. See "Default target groups" for more information. indexAndForward=true This tells the forwarder to index the data locally, as well as forward the data to receiving indexers in the target groups. If set to "false" (the default), the forwarder just forwards data but does not index it. This attribute is only available for heavy forwarders; universal and light forwarders cannot index data. Note: Beginning with the 4.2 release, the global stanza is no longer required. However, if you want to set the defaultGroup attribute or any other attribute settable only at the global level, you still need that stanza.
24
Target group stanza The target group identifies a set of receivers. It also specifies how the forwarder sends data to those receivers. You can define multiple target groups. Here's the basic pattern for the target group stanza:
For <output_processor>, you can specify tcpout or syslog. To specify a receiving server in a target group, use the format <ipaddress_or_servername>:<port>, where <port> is the receiving server's listening port. For example, myhost.Splunk.com:9997. You can specify multiple receivers and the forwarder will load balance among them. Note: Starting with Splunk version 4.3, you can use an IPv6 address when specifying the receiving indexer. For more information, see "Configure Splunk for IPv6" in the Admin manual. See "Define typical deployment topologies", later in this topic, for information on how to use the target group stanza to define several deployment topologies. Single-server stanza You can define a specific configuration for an individual receiving indexer. However, the receiver must also be a member of a target group. When you define an attribute at the single-server level, it takes precedence over any definition at the target group or global level. Here is the syntax for defining a single-server stanza:
Example
The following outputs.conf example contains three stanzas for sending tcpout to Splunk receivers: Global settings. In this example, there is one setting, to specify a defaultGroup. Settings for a single target group consisting of two receivers. Here, we are stipulating that the forwarder send the data in compressed form to the targeted receivers. It load balances between them.
25
Settings for one receiver within the target group. This stanza turns off compression for this particular receiver. The server-specific value for "compressed" takes precedence over the value set at the target group level.
The defaultGroup specifies one or more target groups, defined later in tcpout:<target_group> stanzas. The forwarder will send all events to the specified groups. If you do not want to forward data automatically, don't set the defaultGroup attribute. (Prior to 4.2, you were required to set the defaultGroup to some value. This is no longer necessary.) For some examples of using the defaultGroup attribute, see "Route and filter data".
[tcpout:my_LB_indexers] server=10.10.10.1:9997,10.10.10.2:9996,10.10.10.3:9995
The forwarder will load balance between the three receivers listed. If one receiver goes down, the forwarder automatically switches to the next one available.
26
Data cloning To perform data cloning, specify multiple target groups, each in its own stanza. In data cloning, the forwarder sends copies of all its events to the receivers in two or more target groups. Data cloning usually results in similar, but not necessarily exact, copies of data on the receiving indexers. Here's an example of how you set up data cloning:
The forwarder will send duplicate data streams to the servers specified in both the indexer1 and indexer2 target groups. Data cloning with load balancing You can combine load balancing with data cloning. For example:
[tcpout] defaultGroup=cloned_group1,cloned_group2 [tcpout:cloned_group1] server=10.10.10.1:9997, 10.10.10.2:9997, 10.10.10.3:9997 [tcpout:cloned_group2] server=10.1.1.197:9997, 10.1.1.198:9997, 10.1.1.199:9997, 10.1.1.200:9997
The forwarder will send full data streams to both cloned_group1 and cloned_group2. The data will be load-balanced within each group, rotating among receivers every 30 seconds (the default frequency). Note: For syslog and other output types, you must explicitly specify routing as described here: "Route and filter data".
Forwarding attributes
The outputs.conf file provides a large number of configuration options that offer considerable control and flexibility in forwarding. Of the attributes available, several are of particular interest: Attribute
defaultGroup indexAndForward
Default
n/a false
Where configured
global stanza global stanza
Value
A comma-separated list of one or more target groups. Forwarder sends all events to all specified target groups. Don't set this attribute if you don't want events automatically forwarded to a target group.
27
If set to "true", the forwarder will index all data locally, in addition to forwarding the data to a receiving indexer.
Important: This attribute is only available for heavy forwarders. A universal forwarder cannot index locally.
Required. Specifies the server(s) that will function as receivers for the forwarder. This must be set to a value using the format <ipaddress_or_servername>:<port>, where <port> is the
Note: Starting with Splunk version 4.3, you can use an IPv6 address when specifying the receiving indexer. For more information, see "Configure Splunk for IPv6" in the Admin manual.
Specifies whether the stanza is disabled. If set to "true", it is equivalent to the stanza not being there. Specifies whether data is cooked before forwarding. Specifies whether the forwarder sends compressed data. Set of attributes for configuring SSL. See "Use SSL to encrypt and authenticate data from forwarders" in the Admin manual for information on how to use these attributes. Specifies whether the forwarder waits for indexer acknowledgment confirming that the data has been written to the file system. See "Protect against loss of in-flight data".
any stanza level any stanza level any stanza level any stanza level
useACK
false
The outputs.conf.spec file, which you can find here, along with several examples, provides details for these and all other configuration options. In addition, most of these settings are discussed in topics dealing with specific forwarding scenarios. Note: In 4.2, the persistent queue capability has been much improved. It is now a feature of data inputs and is therefore configured in inputs.conf. It is not related in any way to the previous, deprecated persistent queue capability, which was configured through outputs.conf. See "Use persistent queues to prevent data loss" for details.
one of the blocks, at which point it can free up space in the queue. Other reasons the forwarder might close a connection There are actually three conditions that can cause the forwarder to close the network connection: Read timeout. The forwarder doesn't receive acknowledgment within 300 (default) seconds. This is the condition described above. Write timeout. The forwarder is not able to finish a network write within 300 (default) seconds. The value is configurable in outputs.conf by setting writeTimeout. Read/write failure. Typical causes include the indexer's machine crashing or the network going down. In all these cases, the forwarder will then attempt to open a connection to the next indexer in the load-balanced group, or to the same indexer again if load-balancing is not enabled. The possibility of duplicates It's possible for the indexer to index the same data block twice. This can happen if there's a network problem that prevents an acknowledgment from reaching the forwarder. For instance, assume the indexer receives a data block, parses it, and writes it to the file system. It then generates the acknowledgment. However, on the round-trip to the forwarder, the network goes down, so the forwarder never receives the acknowledgment. When the network comes back up, the forwarder then resends the data block, which the indexer will parse and write as if it were new data. To deal with such a possibility, every time the forwarder resends a data block, it writes an event to its splunkd.log noting that it's a possible duplicate. The admin is responsible for using the log information to track down the duplicate data on the indexer. Here's an example of a duplicate warning:
10-18-2010 17:32:36.941 WARN TcpOutputProc - Possible duplication of events with channel=source::/home/jkerai/splunk/current-install/etc/apps/sample_app/logs/maillog.1|host::MrT|s streamId=5941229245963076846, offset=131072 subOffset=219 on host=10.1.42.2:9992
30
A value of useACK=true enables indexer acknowledgment. By default, this feature is disabled: useACK=false Note: You can set useACK either globally or by target group, at the [tcpout] or [tcpout:<target_group>] stanza levels. You cannot set it for individual servers at the [tcpout-server: ...] stanza level.
31
Configure the wait queue size The maximum wait queue size is 3x the size of the in-memory output queue, which you set with the maxQueueSize attribute in outputs.conf:
maxQueueSize = [<integer>|<integer>[KB|MB|GB]]
For example, if you set maxQueueSize to 2MB, the maximum wait queue size will be 6MB. Note the following: This attribute sets the maximum size of the forwarder's in-memory (RAM) output queue. It also determines the maximum size of the wait queue, which is 3x the setting for the output queue. If specified as a lone integer (for example, maxQueueSize=100), it determines the maximum number of queued events (for parsed data) or blocks of data (for unparsed data). A block of data is approximately 64KB. For forwarders sending unparsed data (mainly universal forwarders), maxQueueSize is the maximum number of data blocks. For heavy forwarders sending parsed data, maxQueueSize is the maximum number of events. Since events are typically much shorter than data blocks, the memory consumed by the output and wait queues on a parsing forwarder will likely be much smaller than on a non-parsing forwarder, if you use this version of the setting. If specified as an integer followed by KB, MB, or GB (for example, maxQueueSize=100MB), it determines the maximum RAM allocated to the output queue and, indirectly, to the wait queue. If configured as maxQueueSize=100MB, the maximum size of the output queue will be 100MB and the maximum size of the wait queue, if any, will be 300MB. maxQueueSize defaults to 500KB. The default wait queue size is 3x that amount: 1500KB. Although the wait queue and the output queues are configured by the same attribute, they are separate queues. Important: If you're enabling indexer acknowledgment, be careful to take into account your system's available memory when setting maxQueueSize. You'll need to accommodate 4x the maxQueueSize setting (1x for the output queue + 3x for the wait queue).
to the indexer. Because it doesn't itself have useACK enabled, the intermediate forwarder cannot verify delivery of the data to the indexer. This use case has limited value.
33
The diagram illustrates a small deployment. In practice, the number of universal forwarders in a data consolidation use case could number upwards into the thousands. This type of use case is simple to configure: 1. Determine what data, originating from which machines, you need to access. 2. Install a Splunk instance, typically on its own server. This instance will function as the receiver. All indexing and searching will occur on it. 3. Enable the instance as a receiver through Splunk Web or the CLI. Using the CLI, enter this command from $SPLUNK_HOME/bin/:
For <port>, substitute the port you want the receiver to listen on. 4. If any of the universal forwarders will be running on a different operating system from the receiver, install the app for the forwarder's OS on the receiver. For example, assume the receiver in the diagram above is running on a Linux box. In that case, you'll need to install the Windows app on the receiver. You might need to install the *nix app, as well. -- However, since the receiver is on Linux, you probably have already installed that app. Details and provisos regarding this can be found here. After you have downloaded the relevant app, remove its inputs.conf file before enabling it, to ensure that its default inputs are not added to your indexer. For the Windows app, the location is:
34
$SPLUNK_HOME/etc/apps/windows/default/inputs.conf.
5. Install universal forwarders on each machine that will be generating data. These will forward the data to the receiver. 6. Set up inputs for each forwarder. See "What Splunk can index". 7. Configure each forwarder to forward data to the receiver. For Windows forwarders, you can do this at installation time, as described here. For *nix forwarders, you must do this through the CLI:
For <host>:<port>, substitute the host and listening port number of the receiver. For example,
splunk_indexer.acme.com:9995.
Alternatively, if you have many forwarders, you can use an outputs.conf file to specify the receiver. For example:
You can create this file once, then distribute copies of it to each forwarder.
35
This topic describes how to filter and route event data to Splunk instances. See "Forward data to third-party systems" in this manual for information on routing to non-Splunk systems. This topic also describes how to perform selective indexing and forwarding, in which you index some data locally on a heavy forwarder and forward the non-indexed data to one or more sepearate indexers. See "Perform selective indexing and forwarding" later in this topic for details.
Configure routing
This is the basic pattern for defining most routing scenarios (using a heavy forwarder): 1. Determine what criteria to use for routing. How will you identify categories of events, and where will you route them? 2. Edit props.conf to add a TRANSFORMS-routing attribute to determine routing based on event metadata:
can be:
<sourcetype>, the source type of an event host::<host>, where <host> is the host for an event source::<source>, where <source> is the source for an event Use the <transforms_stanza_name> specified here when creating an entry in transforms.conf (below). Examples later in this topic show how to use this syntax. 3. Edit transforms.conf to specify target groups and to set additional criteria for routing based on event patterns:
36
Note: <transforms_stanza_name> must match the name you defined in props.conf. In <routing_criteria>, enter the regex rules that determine which events get routed. This line is required. Use "REGEX = ." if you don't need additional filtering beyond the metadata specified in props.conf. DEST_KEY should be set to _TCP_ROUTING to send events via TCP. It can also be set to _SYSLOG_ROUTING or _HTTPOUT_ROUTING for other output processors. Set FORMAT to a <target_group> that matches a target group name you defined in outputs.conf. A comma separated list will clone events to multiple target groups. Examples later in this topic show how to use this syntax. 4. Edit outputs.conf to define the target group(s) for the routed data:
[tcpout:<target_group>] server=<ip>:<port>
Note: Set <target_group> to match the name you specified in transforms.conf. Set the IP address and port to match the receiving server. The use cases described in this topic generally follow this pattern.
2. Edit transforms.conf to set the routing rules for each routing transform:
[errorRouting]
37
Note: In this example, if a syslog event contains the word "error", it will route to syslogGroup, not errorGroup. This is due to the settings previously specified in props.conf. Those settings dictated that all syslog events be filtered through the syslogRouting transform, while all non-syslog (default) events be filtered through the errorRouting transform. Therefore, only non-syslog events get inspected for errors. 3. Edit outputs.conf to define the target groups:
syslogGroup and errorGroup receive events according to the rules specified in transforms.conf. All other events get routed to the default group, everythingElseGroup.
2. Edit transforms.conf:
[routeAll] REGEX=(.)
38
3. Edit outputs.conf:
For more information, see "Forward data to third party systems" in this manual.
2. Create a corresponding stanza in transforms.conf. Set DEST_KEY to "queue" and FORMAT to "nullQueue":
39
That does it. Keep specific events and discard the rest Here's the opposite scenario. In this example, you use two transforms to keep only the sshd events. One transform routes sshd events to indexQueue, while another routes all other events to nullQueue. Note: In this example, the order of the transforms in props.conf matters. The null queue transform must come first; if it comes later, it will invalidate the previous transform and route all events to the null queue. 1. In props.conf:
2. In transforms.conf:
[setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [setparsing] REGEX = \[sshd\] DEST_KEY = queue FORMAT = indexQueue
Filter WMI events To filter on WMI events, use [WMI:WinEventLog:Security] source type stanza in props.conf. The following example uses regex to filter out two Windows event codes, 592 and 593: In props.conf:
[WMI:WinEventLog:Security] TRANSFORMS-wmi=wminull
Note: In pre-4.2.x versions of Splunk, you must use [wmi] as the sourcetype in order to send events to nullQueue. In transforms.conf:
40
In most deployments, you will not need to override the default settings. See outputs.conf for more information on how to whitelist and blacklist indexes. Forward all internal index data If you want to forward all internal index data (and not just the data in _audit), you can override the default forwardedindex filter attributes like this:
Use the forwardedindex attributes with local indexing On a heavy forwarder, you can index locally. To do that, you must set indexAndForward attribute to "true". Otherwise, the forwarder just forwards your data and does not save it on the forwarder. On the other hand, the forwardedindex attributes only filter forwarded data; they do not filter any data that gets saved to the local index. In a nutshell, local indexing and forwarder filtering are entirely separate operations, which do not coordinate with each other. This can have unexpected implications when you're performing blacklist filtering: If you set indexAndForward to "true" and then filter out some data through forwardedindex blacklist attributes, the blacklisted data will not get forwarded, but it will still get locally indexed. If you set indexAndForward to "false" (no local indexing) and then filter out some data, the filtered data will get dropped entirely, since it doesn't get forwarded and it doesn't get saved (indexed) on
41
the forwarder.
2. In inputs.conf, you use _TCP_ROUTING to specify the stanza in outputs.conf that each input should use for routing:
The forwarder will route data from file1.log to server1 and data from file2.log to server2.
The presence of this stanza, including the index and selectiveIndexing attributes, turns on selective indexing for the forwarder. It enables local indexing for any input (specified in inputs.conf) that has the _INDEX_AND_FORWARD_ROUTING attribute. Use the entire [indexAndForward] stanza exactly as shown here. Note: This is a global stanza, which only needs to appear once in outputs.conf. b. Include the usual target group stanzas for each set of receiving indexers:
The named <target_group> is used in inputs.conf to route the inputs, as described below. 2. In inputs.conf: a. Add the _INDEX_AND_FORWARD_ROUTING attribute to the stanzas of each input that you want to index locally:
The presence of the _INDEX_AND_FORWARD_ROUTING attribute tells the heavy forwarder to index that input locally. You can set the attribute to any string value you want. Splunk just looks for the attribute itself; the string value has no effect at all on behavior. b. Add the _TCP_ROUTING attribute to the stanzas of each input that you want to forward:
The <target_group> is the name used in outputs.conf to specify the target group of receiving indexers. The next several sections show how to use selective indexing in a variety of scenarios. Index one input locally and then forward the remaining inputs In this example, the forwarder indexes data from one input locally but does not forward it. It also forwards data from two other inputs but does not index those inputs locally.
43
[tcpout] defaultGroup=noforward disabled=false [indexAndForward] index=true selectiveIndexing=true [tcpout:indexerB_9997] server = indexerB:9997 [tcpout:indexerC_9997] server = indexerC:9997
Since the defaultGroup is set to the non-existent group "noforward" (meaning that there is no defaultGroup), the forwarder will only forward data that's been routed to explicit target groups in inputs.conf. All other data will get dropped. 2. In inputs.conf, create these stanzas:
The result: Splunk indexes the source1.log data locally but does not forward it (because there's no explicit routing in its input stanza and there's no default group in outputs.conf). Splunk forwards the source2.log data to indexerB but does not index it locally. Splunk forwards the source3.log data to indexerC but does not index it locally. Index one input locally and then forward all inputs This example is nearly identical to the previous one. The difference is that here, you index just one input locally, but then you forward all inputs, including the one you've indexed locally. 1. In outputs.conf, create these stanzas:
44
This outputs.conf is identical to the previous example. 2. In inputs.conf, create these stanzas:
The only difference from the previous example is that here, you've specified the _TCP_ROUTING attribute for the input that you're indexing locally. Splunk will route both source1.log and source2.log to the indexerB_9997 target group, but it will only locally index the data from source1.log. Another way to index one input locally and then forward all inputs You can achieve the same result as in the previous example by setting the defaultGroup to a real target group. 1. In outputs.conf, create these stanzas:
[tcpout] defaultGroup=indexerB_9997 disabled=false [indexAndForward] index=true selectiveIndexing=true [tcpout:indexerB_9997] server = indexerB:9997 [tcpout:indexerC_9997] server = indexerC:9997
This outputs.conf sets the defaultGroup to indexerB_9997. 2. In inputs.conf, create these stanzas:
[monitor:///mydata/source1.log]
45
Even though you haven't set up an explicit routing for source1.log, Splunk will still forward it to the indexerB_9997 target group, since outputs.conf specifies that group as the defaultGroup. Selective indexing and internal logs Once you enable selective indexing in outputs.conf, the forwarder will only index locally those inputs with the _INDEX_AND_FORWARD_ROUTING attribute. This applies to the internal logs in the /var/log/splunk directory (specified in the default etc/system/default/inputs.conf). By default, they will not be indexed. If you want to index them, you must add their input stanza to your local inputs.conf file (which takes precedence over the default file) and include the _INDEX_AND_FORWARD_ROUTING attribute:
TCP data
To forward TCP data to a third-party system, edit the forwarder's outputs.conf file to specify the receiving server and port. You must also configure the receiving server to expect the incoming data stream on that port. You can use any kind of forwarder, such as a universal forwarder, to perform this type of forwarding. To route the data, you need to use a heavy forwarder, which has the ability to parse data. Edit the forwarder's props.conf and transforms.conf files as well as outputs.conf. Edit the configuration files To simply forward data, edit outputs.conf: Specify target groups for the receiving servers.
46
Specify the IP address and TCP port for each receiving server. Set sendCookedData to false, so that the forwarder sends raw data. To route and filter the data (heavy forwarders only), also edit props.conf and transforms.conf: In props.conf, specify the host, source, or sourcetype of your data stream. Specify a transform to perform on the input. In transforms.conf, define the transform and specify _TCP_ROUTING. You can also use regex to further filter the data. Forward all data This example shows how to send all the data from a universal forwarder to a third-party system. Since you are sending all the data, you only need to edit outputs.conf:
Forward a subset of data This example shows how to use a heavy forwarder to filter a subset of data and send the subset to a third-party system: 1. Edit props.conf and transforms.conf to specify the filtering criteria. In props.conf, apply the bigmoney transform to all host names beginning with nyc:
In transforms.conf, configure the bigmoney transform to specify TCP_ROUTING as the DEST_KEY and the bigmoneyreader target group as the FORMAT:
2. In outputs.conf, define both a bigmoneyreader target group for the non-Splunk server and a default target group to receive any other data:
47
The forwarder will send all data from host names beginning with nyc to the non-Splunk server specified in the bigmoneyreader target group. It will send data from all other hosts to the server specified in the default-clone-group-192_168_1_104_9997 target group. Note: If you want to forward only the data specifically identified in props.conf and transforms.conf, set defaultGroup=nothing.
Syslog data
You can configure a heavy forwarder to send data in standard syslog format. The forwarder sends the data through a separate output processor. You can also filter the data with props.conf and transforms.conf. You'll need to specify _SYSLOG_ROUTING as the DEST_KEY. Note: The syslog output processor is not available for universal or light forwarders. The syslog output processor sends RFC 3164 compliant events to a TCP/UDP-based server and port, making the payload of any non-compliant data RFC 3164 compliant. Yes, that means Windows event logs! To forward syslog data, identify the third-party receiving server and specify it in a syslog target group in the forwarder's outputs.conf file. Note: If you have defined multiple event types for syslog data, the event type names must all include the string "syslog". Forward syslog data In outputs.conf, specify the syslog target group:
The target group stanza requires this attribute: Required Attribute Default Value This is a combination of the IP address or servername of the syslog server and the port on which the syslog server is listening. Note that syslog servers use port 514 by default.
This must be in the format <ipaddress_or_servername>:<port>.
server
n/a
48
Default
udp
Value
The transport protocol. Must be set to "tcp" or "udp". Syslog priority. This must be an integer 1 to 3 digits in length, surrounded by angle brackets; for example: <34>. This value will appear in the syslog header.
priority
Mimics the number passed via syslog interface call; see outputs.conf for more information. Compute the priority value as (<facility> * 8) + <severity>. If facility is 4 (security/authorization messages) and severity is 2 (critical conditions), priority value will be: (4 * 8) + 2 = 34, which you specify in the conf file as <34>.
This must be in the format sourcetype::syslog,
syslogSourceType n/a
messages.
The format used when adding a timestamp to the header. This must be in the format: <%b %e %H:%M:%S>. See "Configure timestamps" in the Getting Data In manual for details.
timestampformat
""
Send a subset of data to a syslog server This example shows how to configure a heavy forwarder to forward data from hosts whose names begin with "nyc" to a syslog server named "loghost.example.com" over port 514: 1. Edit props.conf and transforms.conf to specify the filtering criteria. In props.conf, apply the send_to_syslog transform to all host names beginning with nyc:
In transforms.conf, configure the send_to_syslog transform to specify _SYSLOG_ROUTING as the DEST_KEY and the my_syslog_group target group as the FORMAT:
2. In outputs.conf, define the my_syslog_group target group for the non-Splunk server:
49
Compared to the light forwarder, the universal forwarder provides a better performing and more streamlined solution to forwarding. These are the main technical differences between the universal forwarder and the light forwarder: The universal forwarder puts less load on the CPU, uses less memory, and has a smaller disk footprint. The universal forwarder has a default data transfer rate of 256Kbps The universal forwarder does not come bundled with Python. The universal forwarder is a forwarder only; it cannot be converted to a full Splunk instance. For information on deploying the universal forwarder, see the topics that directly follow this one. For information on using the universal forwarder to forward data and participate in various distributed topologies, see the topics in the "Forward data" section of this manual. Those topics also discuss light and heavy forwarders.
Types of deployments
These are the main scenarios for deploying the universal forwarder: Deploy a Windows universal forwarder manually, either with the installer GUI or from the commandline. Deploy a nix universal forwarder manually, using the CLI to configure it. Remotely deploy a universal forwarder (Windows or nix). Make the universal forwarder part of a system image. Each scenario is described in its own topic. For most scenarios, there are separate Windows and *nix topics. Note: The universal forwarder is its own downloadable executable, separate from full Splunk. Unlike the light and heavy forwarders, you do not enable it from a full Splunk instance. To download the universal forwarder, go to http://www.splunk.com/download/universalforwarder .
51
52
System requirements See the Installation manual for specific hardware requirements and supported operating systems. Licensing requirements The universal forwarder ships with a pre-installed license. See "Types of Splunk licenses" in the Admin manual for details. Other requirements You must have admin or equivalent rights on the machine where you're installing the universal forwarder.
Steps to deployment
The actual procedure varies depending on the type of deployment, but these are the typical steps: 1. Plan your deployment. 2. Download the universal forwarder from http://www.splunk.com/download/universalforwarder 3. Install the universal forwarder on a test machine. 4. Perform any post-installation configuration. 5. Test and tune the deployment. 6. Deploy the universal forwarder to machines across your environment (for multi-machine deployments). These steps are described below in more detail. Important: Deploying your forwarders is just one step in the overall process of setting up Splunk forwarding and receiving. For an overview of that process, read "Set up forwarding and receiving: universal forwarders". Plan your deployment Here are some of the issues to consider when planning your deployment: How many (and what type of) machines will you be deploying to? Will you be deploying across multiple OS's? Do you need to migrate from any existing forwarders? What, if any, deployment tools do you plan to use? Will you be deploying via a system image or virtual machine? Will you be deploying fully configured universal forwarders, or do you plan to complete the configuration after the universal forwarders have been deployed across your system? What level of security does the communication between universal forwarder and indexer require?
53
Install, test, configure, deploy For next steps, see the topic in this chapter that matches your deployment requirements most closely. Each topic contains one or more use cases that cover specific deployment scenarios from installation through configuration and deployment: "Deploy a Windows universal forwarder manually" "Deploy a Windows universal forwarder via the commandline" "Remotely deploy a Windows universal forwarder with a static configuration" "Deploy a nix universal forwarder manually" "Remotely deploy a nix universal forwarder with a static configuration" "Make a universal forwarder part of a system image" But first, read the next section to learn more about universal forwarder configuration. Note: The universal forwarder's executable is named splunkd, the same as the executable for full Splunk. The service name is SplunkUniversalForwarder.
54
Learn more about configuration Refer to these topics for some important information: "About configuration files" and "Configuration file precedence" in the Admin manual, for details on how configuration files work. "Configure forwarders with outputs.conf", for information on outputs.conf specifically. The topics in the "Use the forwarder to create deployment topologies" section, for information on configuring outputs with the CLI. "Configure your inputs" in the Getting Data In manual, for details on configuring data inputs with inputs.conf or the CLI. Deploy configuration updates These are the main methods for deploying configuration updates across your set of universal forwarders: Edit or copy the configuration files for each universal forwarder manually (for small deployments only). Use the Splunk deployment server to push configured apps to your set of universal forwarders. Use your own deployment tools to push configuration changes. Restart the universal forwarder Some configuration changes might require that you restart the forwarder. (The topics covering specific configuration changes will let you know if a change does require a restart.) To restart the universal forwarder, use the same CLI restart command that you use to restart a full Splunk instance: On Windows: Go to %SPLUNK_HOME%\bin and run this command:
> splunk restart
On *nix systems: From a shell prompt on the host, run this command:
# splunk restart
This topic describes how to install the universal forwarder with the installer GUI. You can also install from the commandline, using msiexec. See "Deploy a Windows universal forwarder via the commandline" for more information. Important: If you do not want the universal forwarder to start immediately after installation, you must use the commandline interface. Before following the procedures in this topic, read "Deployment overview".
Steps to deployment
Once you have downloaded the universal forwarder and have planned your deployment, as described in "Deployment overview", perform these steps: 1. Install the universal forwarder (with optional migration and configuration). 2. Test and tune the deployment. 3. Perform any post-installation configuration. 4. Deploy the universal forwarder across your environment.
56
Read the license agreement and select "I accept the terms in the license agreement". 3. "Destination Folder" dialog The universal forwarder is installed by default into the directory C:\Program Files\SplunkUniversalForwarder. Click Change... to specify a different installation directory. Important: Do not install the universal forwarder over an existing installation of full Splunk. This is particuarly vital if you will be migrating from a light forwarder as described in "Migrate a Windows light forwarder". The default install directory for full Splunk is C:\Program Files\Splunk, so, if you stick with the defaults, you're safe. 4. "Migration" pop-up If the installer detects an existing version of Splunk, it will ask you whether you want to migrate the existing Splunk's data checkpoint settings to the universal forwarder. If you click Yes, it will automatically perform the migration. Important: This is the only time when you can migrate old settings to this universal forwarder. You cannot perform the migration post-installation. See "Migrate a Windows forwarder" for more information on what migration does. 5. "Deployment Server" dialog Enter the hostname or IP address and management port for your deployment server. The default management port is 8089. You can use the deployment server to push configuration updates to the universal forwarder. See "About deployment server" for details. Note: This step is optional, but if you skip it, you must enter a receiving indexer in step 6; otherwise, the universal forwarder will not be able function, as it will not have any way of determining which indexer to forward to. 6. "Receiving Indexer" dialog Enter the hostname or IP address and listening port of the receiving indexer (receiver). For information on setting up a receiver, see "Enable a receiver". Note: This step is optional, but if you skip it, you must enter a deployment server in step 5; otherwise, the universal forwarder will not be able function, as it will not have any way of determining which indexer to forward to. 7. "Certificate Information" dialog Select an SSL certificate for verifying the identity of this machine (optional).
57
Depending on your certificate requirements, you may need to specify a password and a Root CA certificate to verify the identity of the certificate. If not, these fields can be left blank. Note: This dialog will only appear if you previously specified a receiving indexer (step 6). 8. "Where do you want to get data from?" dialogs This step in the installer requires one or two dialogs, depending on whether the universal forwarder will be collecting local data exclusively. In the first dialog, you specify the user context: whether you want the universal forwarder to collect only local data or also remote Windows data. The installer uses this information to determine the permissions the universal forwarder needs. Note: If you select Local data only, the universal forwarder will install as the local system user, and network resources will not be available to it. This is recommended for improved security, unless this universal forwarder will be collecting event logs or metrics from remote machines. For more help in determining what to select here, see "Choose the user the universal forwarder should run as". Once you've made your choice, click Next. If you specified Local data only, the installer skips the second screen and takes directly to the "Enable Windows Inputs" dialog (step 8). If you specified Remote Windows data, the installer now takes you to a second dialog, where you need to enter domain and user information for this instance of the universal forwarder. The universal forwarder will run as the user you specify in this dialog. The user you specify here must have permissions to: Run as a service. Read whatever files you are configuring it to monitor. Collect event logs or performance metrics via WMI. This is a highly privileged action; see "Monitor WMI data" for more information. Write to the universal forwarder's directory. 9. "Enable Windows Inputs" dialog Select one or more Windows inputs from the list. This step is optional. You can enable inputs later, by editing inputs.conf. 10. "Ready to Install the Program" dialog Click Install to proceed. The installer runs and displays the Installation Completed dialog.
58
Once the installation is complete, the universal forwarder automatically starts. SplunkForwarder is the name of the universal forwarder service. You should confirm that it is running.
59
You can use the commandline interface to install manually on individual machines. You must use it if you want to install the universal forwarder across your system via a deployment tool. See "Remotely deploy a Windows universal forwarder with a static configuration" for detailed information on using the commandline interface with a deployment tool. Important: If you do not want the universal forwarder to start immediately after installation, you must use the commandline interface and include the LAUNCHSPLUNK=0 flag. This is useful if you'll be cloning the system image. Using the right combination of commandline flags, as discussed below, you can specify that the universal forwarder start for the first time after the image is installed on each clone. This ensures that the original master itself does not forward data to an indexer -- behavior that might not be desired, depending on your particular environment. Before following the procedures in this topic, read "Deployment overview".
Steps to deployment
Once you have downloaded the universal forwarder and have planned your deployment, as described in "Deployment overview", perform these steps: 1. Install the universal forwarder (with optional migration and configuration). 2. Test and tune the deployment. 3. Perform any post-installation configuration. 4. Deploy the universal forwarder across your environment.
forwarder to fail to function properly. If you're not sure which account to run the universal forwarder under, speak with your Windows domain administrator about the best way to proceed. If you are the domain administrator, then start off by using an account that has at most the permissions described here, and add rights as needed until you get the results you want. Important: If you decide to change the user that the universal forwarder runs as after you have installed, you must ensure that the new user has the necessary resource access rights, and Full Control permissions to the entire %SPLUNK_HOME% directory. Security and remote access considerations In the interests of security, Splunk strongly recommends that you create and place the universal forwarder account into a domain group, and then place that group into local groups on workstations and member servers, when assigning rights for the universal forwarder account. This helps maintain security integrity and makes it a lot easier to control access in the event of a security breach or site-wide change. The following is a list of the minimum local permissions required by the universal forwarder account. Depending on the sources of data you need to access, the universal forwarder account may need a significant amount of additional permissions. Required basic permissions for the SplunkForwarder service: Full control over Splunk's installation directory Read access to any flat files you want to index Required Local Security Policy user rights assignments for the splunkd service: Permission to log on as a service Permission to log on as a batch job Permission to replace a process-level token Permission to act as part of the operating system Permission to bypass traverse checking Using Group Policy to assign user rights domain-wide If you want to assign the policy settings shown above to all member servers in your AD domain, you can define a Group Policy object (GPO) for these specific rights and deploy that GPO across the domain or forest using the Domain Security Policy MMC snap-in (use the Domain Controller Security Policy snap-in for domain controllers). The member servers in your domain will pick up the changes either during the next scheduled AD replication cycle (usually every 2-3 hours), or at the next boot time. Remember that identical Local Security Policy user rights defined on a member server are overwritten by the rights inherited from a GPO, and you can't change this setting. If you wish to retain previously existing rights defined on your member servers, they'll also need to be assigned within the GPO.
61
Troubleshooting permissions issues The rights described above are the rights that the SplunkForwarder service specifically invokes. Other rights may be required depending on your usage and what data you want to access. Additionally, many user rights assignments and other Group Policy restrictions can prevent the universal forwarder from working properly. If you have issues, consider using a tool such as Process Monitor to troubleshoot your environment. You can use the GPRESULT command line tool or the Group Policy Management Console (GPMC) to troubleshoot issues related to GPO application in your enterprise.
The value of <...> varies according to the particular release; for example, splunkuniversalforwarder-4.2-86454-x64-release.msi. Important: Running the 32-bit version of the universal forwarder on a 64-bit platform is not recommended. If you can run 64-bit universal forwarder on 64-bit hardware, we strongly recommend it. The performance is greatly improved over the 32-bit version. Commandline flags allow you to configure your forwarder at installation time. Using commandline flags, you can specify a number of settings, including: The user the universal forwarder runs as. (Be sure the user you specify has the appropriate permissions to access the content you want to forward.) The receiving Splunk instance that the universal forwarder will send data to. A Splunk deployment server for updating the configuration. The Windows event logs to index. Whether the universal forwarder should start automatically when the installation is completed. Whether to migrate checkpoint data from an existing light forwarder. The following sections list the flags available and provide a few examples of various configurations.
62
Flag
Default
AGREETOLICENSE=Yes|No
a silent installation.
Specifies the installation directory.
INSTALLDIR="<directory_path>"
Important: Do not install the universal forwarder over an existing installation of full Splunk. This is particularly vital if you are migrating from a light forwarder as c:\Program Files\SplunkUniversalForwarder described in "Migrate a Windows light forwarder". The default install directory for full Splunk is
C:\Program Files\Splunk,
service. You must specify the domain with the username in the format: domain\username. If you don't include these flags, the universal forwarder will run as Local System user. See "Choose the user the
63
RECEIVING_INDEXER="<host:port>"
Note: This flag is n/a optional, but if you don't specify it and also don't specify DEPLOYMENT_SERVER, the universal forwarder will be unable to function, as it will not have any way of determining which indexer to forward to.
Use this flag to specify n/a a deployment
DEPLOYMENT_SERVER="<host:port>"
server for pushing configuration updates to the universal forwarder. Enter the deployment server's name (hostname or IP address) and port. Note: This flag is optional, but if you don't specify it and also don't specify
RECEIVING_INDEXER,
LAUNCHSPLUNK=1|0
to auto, you will cause the universal forwarder to not start forwarding until the next system boot. This is useful when cloning a system image.
auto
MONITOR_PATH="<directory_path>"
Use this flag to specify a file or directory to n/a monitor. Use these flags to 0 (no) enable these Windows event logs, respectively:
65
be any of these:
cpu memory network diskspace Use this flag to enable Active Directory monitoring for a remote deployment. Use these flags to supply SSL certificates:
n/a
ENABLEADMON=1|0
0 (not enabled)
Path to the cert file that contains the public/private key pair. Path to the file that contains the Root CA cert for CERTFILE=<c:\path\to\certfile.pem> verifying CERTFILE is n/a ROOTCACERTFILE=<c:\path\to\rootcacertfile.pem> legitimate (optional).
CERTPASSWORD=<password>
Password for private key of CERTFILE (optional). Note: You must also set
RECEIVING_INDEXER
66
forwarder and copies its checkpoint files to the new universal forwarder. You are responsible for uninstalling the old forwarder. See "Deployment overview" and "Migrate a Windows light forwarder" for details.
Tells Splunk to delete any instance-specific data in preparation for creating a clone of a machine. This invokes the splunk clone-prep
CLONEPREP=1|0
Silent installation
To run the installation silently, add /quiet to the end of your installation command string. You must also set the AGREETOLICENSE=Yes flag. If your system is running UAC (which is sometimes on by default), you must run the installation as Administrator. To do this, when opening a cmd prompt, right click and select "Run As Administrator". Then use the cmd window to run the silent install command.
Examples
The following are some examples of using different flags. Install the universal forwarder to run as the Local System user and request configuration from deploymentserver1 You might do this for new deployments of the forwarder.
Install the universal forwarder to run as a domain user, but do not launch it immediately You might do this when preparing a sample host for cloning.
67
Install the universal forwarder, enable indexing of the Windows security and system event logs, and run the installer in silent mode You might do this to collect just the Security and System event logs through a "fire-and-forget" installation.
Install the universal forwarder, migrate from an existing forwarder, and run the installer in silent mode You might do this if you want to migrate now and redefine your inputs later, perhaps after a validation step.
deployment server".
Steps to deployment
Once you have downloaded the universal forwarder and have planned your deployment, as described in "Deployment overview", perform these steps: 1. Install and configure the universal forwarder on a test machine, using the commandline interface with the desired flags. 2. Test and tune the deployment. 3. Load the universal forwarder MSI into your deployment tool, specifying the tested flags. 4. Execute deployment with your deployment tool. 5. Use the deployment monitor to verify that the universal forwarders are functioning.
RECEIVING_INDEXER="<server:port>" At least one data input flag, such as WINEVENTLOG_APP_ENABLE=1. You can add as many data input flags as you need. See "Deploy a Windows universal forwarder via the commandline" for a list of all available commandline flags.
Example installation
This example sets the universal forwarder to run as Local System user, get inputs from Windows security and system event logs, send data to indexer1, and launch automatically:
70
Steps to deployment
Once you have downloaded the universal forwarder and have planned your deployment, as described in "Deployment overview", perform these steps: 1. Install the universal forwarder. 2. Configure (and optionally migrate) the universal forwarder. 3. Test and tune the deployment. 4. Perform any additional post-installation configuration.
rpm -i splunkforwarder_<package_name>.rpm
rpm -i splunk_<package_name>.rpm
The only difference is the prefix to the package name: "splunkforwarder", instead of "splunk".
71
The default install directory The universal forwarder installs by default in /opt/splunkforwarder. (The default install directory for full Splunk is /opt/splunk.) Important: Do not install the universal forwarder over an existing installation of full Splunk. This is particuarly vital if you will be migrating from a light forwarder as described in "Migrate a nix light forwarder".
The first time you start the universal forwarder after a new installation, you must accept the license agreement. To start the universal forwarder and accept the license in one step:
Note: There are two dashes before the accept-license option. Configuration steps After you start the universal forwarder and accept the license agreement, follow these steps to configure it: 1. Configure universal forwarder to auto-start:
72
2. Configure universal forwarder to act as a deployment client (optional). To do this, just specify the deployment server:
where: <host> is the deployment server's hostname or IP address and <port> is the port it's listening on. This step also automatically enables the deployment client functionality. 3. Configure the universal forwarder to forward to a specific receiving indexer, also known as the "receiver" (optional):
where: <host> is the receiving indexer's hostname or IP address and <port> is the port it's listening on. By convention, the receiver listens for forwarders on port 9997, but it can be set to listen on any port, so you'll need to check with the receiver's administrator to obtain the port number. For information on setting up a receiver, see "Enable a receiver". <username>:<password> is the username and password for logging into the forwarder. By default, these are "admin:changeme" (To set a different password than the default , issue the following command "splunk edit user admin -password <new password> -role admin -auth admin:changeme"). During this step, you can also configure a certificate for secure intra-Splunk communications, using a set of optional ssl flags to specify a certificate, root CA, and password. For example:
splunk add forward-server <host:port> -ssl-cert-path /path/ssl.crt -ssl-root-ca-path /path/ca.crt -ssl-password <password>
Note: If you do not specify a receiving indexer, be sure to configure universal forwarder to act as a deployment client, as described in step 2, so that it can later be configured for a receiving indexer. 4. To configure the universal forwarder's inputs, use the CLI add command or edit inputs.conf. See "About the CLI" and subsequent topics for details on using the CLI. For a complete list of CLI commands supported in the universal forwarder, see "Supported CLI commands".
getting the desired inputs and sending the right outputs to the indexer. You can use the deployment monitor to validate the universal forwarder. If you migrated from an existing forwarder, make sure that the universal forwarder is forwarding data from where the old forwarder left off. If it isn't, you probably need to modify or add data inputs, so that they conform to those on the old forwarder. Examine the two inputs.conf files to ensure that the new universal forwarder has all the inputs that you want to maintain. If you migrated from an existing forwarder, you can delete that old instance once your universal forwarder has been thoroughly tested and you're comfortable with the results. See "Troubleshoot your deployment" for troubleshooting tips.
$SPLUNK_HOME/var/log/splunk/splunkd.log $SPLUNK_HOME/var/log/splunk/license_audit.log
The logs can be searched on the indexer for errors (index=_internal host=<ua-machine>). If the universal forwarder is malfunctioning such that it cannot forward the logs, use a text editor or grep to examine them on the universal forwarder machine itself.
74
For information on how to install and configure a single universal forwarder, see "Deploy a nix universal forwarder manually". That topic explains how to install onto a wide variety of *nix platforms from a package or a tarball and how to configure (and optionally migrate) using the Splunk CLI.
Steps to deployment
Once you have downloaded the universal forwarder and have planned your deployment, as described in "Deployment overview", perform these steps: 1. Install and configure the universal forwarder on a test machine, as described in "Deploy a nix universal forwarder manually". 2. Test and tune the configuration. 3. Create a script wrapper for the installation and configuration commands. 4. Run the script on representative target machines to verify that it works with all required shells. 5. Execute the script against the desired set of hosts. 6. Use the deployment monitor to verify that the universal forwarders are functioning properly.
Specifies a Splunk instance to serve as a deployment server that can subsequently manage and update the forwarders. This is an optional configuration step. Starts the forwarder executable on each host. The script is well commented; be sure to study it carefully before modifying it for your environment. Here's the sample deployment script:
#!/bin/sh # # # # # # This script provides an example of how to deploy the Splunk universal forwarder to many remote hosts via ssh and common Unix commands. Note that this script will only work unattended if you have SSH host keys setup & unlocked. To learn more about this subject, do a web search for "openssh key management".
# ----------- Adjust the variables below ----------# # # # # # # # # Populate this file with a list of hosts that this script should install to, with one host per line. You may use hostnames or IP addresses, as applicable. You can also specify a user to login as, for example, "foo@host". Example file contents: server1 server2.foo.lan you@server3 10.2.3.4
HOSTS_FILE="/path/to/splunk.install.list" # This is the path to the Splunk tarball that you wish to push out. You may # wish to make this a symlink to a versioned Splunk tarball, so as to minimize # updates to this script in the future. SPLUNK_FILE="/path/to/splunk-latest.tar.gz" # # # # # # # # # This is where the Splunk tarball will be stored on the remote host during installation. The file will be removed after installation. You normally will not need to set this variable, as $NEW_PARENT will be used by default. SCRATCH_DIR="/home/your_dir/temp" The location in which to unpack the new Splunk tarball on the destination host. This can be the same parent dir as for your existing Splunk installation (if any). This directory will be created at runtime, if it does not exist.
NEW_PARENT="/opt" # # # # After installation, the forwarder will become a deployment client of this host. Specify the host and management (not web) port of the deployment server that will be managing these forwarder instances. If you do not wish to use a deployment server, you may leave this unset.
76
# # DEPLOY_SERV="splunkDeployMaster:8089" # # # # # # A directory on the current host in which the output of each installation attempt will be logged. This directory need not exist, but the user running the script must be able to create it. The output will be stored as $LOG_DIR/<[user@]destination host>. If installation on a host fails, a corresponding file will also be created, as $LOG_DIR/<[user@]destination host>.failed.
LOG_DIR="/tmp/splunkua.install" # # # # # # # # # For conversion from normal Splunk installs to the Splunk Universal Agent: After installation, records of Splunk's progress in indexing files (monitor) and filesystem change events (fschange) can be imported from an existing Splunk (non-forwarder) installation. Specify the path to that installation here. If there is no prior Splunk instance, you may leave this variable empty (""). NOTE: THIS SCRIPT WILL STOP THE SPLUNK INSTANCE SPECIFIED HERE. OLD_SPLUNK="/opt/splunk"
# If you use a non-standard SSH port on the remote hosts, you must set this. # SSH_PORT=1234 # You must remove this line, or the script will refuse to run. # ensure that all of the above has been read and set. :) UNCONFIGURED=1 # ----------- End of user adjustable settings ----------This is to
# helpers. faillog() { echo "$1" >&2 } fail() { faillog "ERROR: $@" exit 1 } # error checks. test "$UNCONFIGURED" -eq 1 && \ fail "This script has not been configured. Please see the notes in the script." test -z "$HOSTS_FILE" && \ fail "No hosts configured! Please populate HOSTS_FILE." test -z "$NEW_PARENT" && \ fail "No installation destination provided! Please set NEW_PARENT." test -z "$SPLUNK_FILE" && \ fail "No splunk package path provided! Please populate SPLUNK_FILE." if [ ! -d "$LOG_DIR" ]; then mkdir -p "$LOG_DIR" || fail "Cannot create log dir at \"$LOG_DIR\"!" fi # some setup.
77
if [ -z "$SCRATCH_DIR" ]; then SCRATCH_DIR="$NEW_PARENT" fi if [ -n "$SSH_PORT" ]; then SSH_PORT_ARG="-p${SSH_PORT}" SCP_PORT_ARG="-P${SSH_PORT}" fi NEW_INSTANCE="$NEW_PARENT/splunkforwarder" # this would need to be edited for non-UA... DEST_FILE="${SCRATCH_DIR}/splunk.tar.gz" # # # create script to run remotely. # # REMOTE_SCRIPT=" fail() { echo ERROR: \"\$@\" >&2 test -f \"$DEST_FILE\" && rm -f \"$DEST_FILE\" exit 1 } " ### try untarring tarball. REMOTE_SCRIPT="$REMOTE_SCRIPT (cd \"$NEW_PARENT\" && tar -zxf \"$DEST_FILE\") || fail \"could not untar /$DEST_FILE to $NEW_PARENT.\" " ### setup seed file to migrate input records from old instance, and stop old instance. if [ -n "$OLD_SPLUNK" ]; then REMOTE_SCRIPT="$REMOTE_SCRIPT echo \"$OLD_SPLUNK\" > \"$NEW_INSTANCE/old_splunk.seed\" || fail \"could not create seed file.\" \"$OLD_SPLUNK/bin/splunk\" stop || fail \"could not stop existing splunk.\" " fi ### setup deployment client if requested. if [ -n "$DEPLOY_SERV" ]; then REMOTE_SCRIPT="$REMOTE_SCRIPT \"$NEW_INSTANCE/bin/splunk\" set deploy-poll \"$DEPLOY_SERV\" --accept-license --answer-yes \ --auto-ports --no-prompt || fail \"could not setup deployment client\" " fi ### start new instance. REMOTE_SCRIPT="$REMOTE_SCRIPT \"$NEW_INSTANCE/bin/splunk\" start --accept-license --answer-yes --auto-ports --no-prompt || \ fail \"could not start new splunk instance!\" " ### remove downloaded file. REMOTE_SCRIPT="$REMOTE_SCRIPT
78
rm -f "$DEST_FILE" || fail \"could not delete downloaded file $DEST_FILE!\" " # # # end of remote script. # # exec 5>&1 # save stdout. exec 6>&2 # save stderr. echo echo echo echo echo echo echo echo test echo "In 5 seconds, will copy install file and run the following script on each" "remote host:" "====================" "$REMOTE_SCRIPT" "====================" "Press Ctrl-C to cancel..." -z "$MORE_FASTER" && sleep 5 "Starting." install on each host.
# main loop.
for DST in `cat "$HOSTS_FILE"`; do if [ -z "$DST" ]; then continue; fi LOG="$LOG_DIR/$DST" FAILLOG="${LOG}.failed" echo "Installing on host $DST, logging to $LOG." # redirect stdout/stderr to logfile. exec 1> "$LOG" exec 2> "$LOG" if ! ssh $SSH_PORT_ARG "$DST" \ "if [ ! -d \"$NEW_PARENT\" ]; then mkdir -p \"$NEW_PARENT\"; fi"; then touch "$FAILLOG" # restore stdout/stderr. exec 1>&5 exec 2>&6 continue fi # copy tarball to remote host. if ! scp $SCP_PORT_ARG "$SPLUNK_FILE" "${DST}:${DEST_FILE}"; then touch "$FAILLOG" # restore stdout/stderr. exec 1>&5 exec 2>&6 continue fi # run script on remote host and log appropriately. if ! ssh $SSH_PORT_ARG "$DST" "$REMOTE_SCRIPT"; then touch "$FAILLOG" # remote script failed.
79
else test -e "$FAILLOG" && rm -f "$FAILLOG" # cleanup any past attempt log. fi # restore stdout/stderr. exec 1>&5 exec 2>&6 if [ -e "$FAILLOG" ]; then echo " --> FAILED <--" else echo " SUCCEEDED" fi done FAIL_COUNT=`ls "${LOG_DIR}" | grep -c '\.failed$'` if [ "$FAIL_COUNT" -gt 0 ]; then echo "There were $FAIL_COUNT remote installation failures." echo " ( see ${LOG_DIR}/*.failed )" else echo echo "Done." fi # Voila.
Execute the script Once you've executed the script, check any log files generated by your installation script for errors. For example, the sample script saves to /tmp/splunkua.install/<destination hostname>.
Steps to deployment
Once you have downloaded the universal forwarder and have planned your deployment, as described in "Deployment overview", perform these steps: 1. Install the universal forwarder on a test machine. See below. 2. Perform any post-installation configuration, as described here. 3. Test and tune the deployment, as described below. 4. Install the universal forwarder with the tested configuration onto a source machine.
80
5. Stop the universal forwarder. 6. Edit server.conf in /etc/system/local and remove the guid attribute. 7. Edit inputs.conf in /etc/system/local and remove any host attribute. 8. Prep your image or virtual machine for cloning. 9. On *nix systems, set the splunkd daemon to start on boot using cron or your scheduling system of choice. On Windows, set the service to Automatic but do not start it. 10. Distribute system image or virtual machine clones to machines across your environment and start them. 11. Use the deployment monitor to verify that the cloned universal forwarders are functioning.
82
What you need to do At the end of this process, you might want to perform additional configuration on the universal forwarder. Since the migration process only copies checkpoint files, you will probably want to manually copy over the old forwarder's inputs.conf configuration file (or at least examine it, to determine what data inputs it was monitoring). Once the universal forwarder is up and running (and after you've tested to ensure migration worked correctly), you can uninstall the old forwarder.
$SPLUNK_HOME/bin/splunk stop
2. Complete the basic installation of the universal forwarder, as described in "Deploy a nix universal forwarder manually". Do not yet start the universal forwarder. Important: Make sure you install the universal forwarder into a different directory from the existing light forwarder. Since the default install directory for the universal forwarder is /opt/splunkforwarder and the default install directory for full Splunk (including the light forwarder) is /opt/splunk, you'll be safe if you just stick with the defaults. 3. In the universal forwarder's installation directory, (the new $SPLUNK_HOME), create a file named old_splunk.seed; in other words: $SPLUNK_HOME/old_splunk.seed. This file must contain a single line, consisting of the path of the old forwarder's $SPLUNK_HOME directory. For example: /opt/splunk. 4. Start the universal forwarder:
$SPLUNK_HOME/bin/splunk start
The universal forwarder will migrate the checkpoint files from the forwarder specified in the $SPLUNK_HOME/old_splunk.seed file. Migration only occurs the first time you run the start command. 5. Perform any additional configuration of the universal forwarder, as described in "Deploy a nix universal forwarder manually". Since the migration process only copies checkpoint files, you will probably want to manually copy over the old forwarder's inputs.conf configuration file (or at least
83
examine it, to determine what data inputs it was monitoring). Once the universal forwarder is up and running (and after you've tested to ensure migration worked correctly), you can uninstall the old forwarder.
Note: You do not need to stop the forwarder before upgrading. The MSI will do this automatically as part of the upgrade process. 3. The forwarder will start automatically when you complete the installation. The installer puts a log of upgrade changes in %TEMP%. It also reports any errors in the Application Event log.
The value of <...> varies according to the particular release; for example, splunkuniversalforwarder-4.2-86454-x64-release.msi. Important: You cannot make configuration changes during upgrade. If you specify any command line flags besides "AGREETOLICENSE", the MSI just ignores them. Note: You do not need to stop the forwarder before upgrading. The MSI will do this automatically as part of the upgrade process. 3. The forwarder will start automatically when you complete the installation. The installer puts a log of upgrade changes in %TEMP%. It also reports any errors in the Application Event log.
85
1. Load the universal forwarder MSI into your deployment tool. In most cases, you will want to run the command like this:
See the previous section, "Upgrade using the command line", for details on the MSI command. 2. Execute deployment with your deployment tool. 3. Use the deployment monitor to verify that the universal forwarders are functioning properly. You might want to test the upgrade locally on one machine before performing a remote upgrade across all your forwarders.
before the files are updated. If you choose to view the changes before proceeding, a file containing the changes that the upgrade script proposes to make is written to
$SPLUNK_HOME/var/log/splunk/migration.log.<timestamp>
$SPLUNK_HOME/bin/splunk stop
Important: Make sure no other processes will start the forwarder automatically (such as Solaris SMF). 2. Install the Splunk package over your existing Splunk deployment: If you are using a .tar file, expand it into the same directory with the same ownership as your existing universal forwarder instance. This overwrites and replaces matching files but does not remove unique files. If you are using a package manager, such as an RPM, type rpm -U <splunk_package_name>.rpm If you are using a .dmg file (on MacOS), double-click it and follow the instructions. Be sure to specify the same installation directory as your existing installation. If you use init scripts, be sure to include the following so the EULA gets accepted:
$SPLUNK_HOME/bin/splunk start
This appears to be an upgrade of Splunk. -------------------------------------------------------------------------------Splunk has detected an older version of Splunk installed on this machine. To finish upgrading to the new version, Splunk's installer will automatically update and alter your current configuration files. Deprecated configuration files will be renamed with a .deprecated extension. You can choose to preview the changes that will be made to your configuration files before proceeding with the migration and upgrade: If you want to migrate and upgrade without previewing the changes that will be made to your existing configuration files, choose 'y'. If you want to see what changes will be made before you proceed with the upgrade, choose 'n'. Perform migration and upgrade without previewing configuration changes? [y/n]
4. Choose whether you want to run the migration preview script to see what changes will be made to your existing configuration files, or proceed with the migration and upgrade right away. 5. If you choose to view the expected changes, the script provides a list.
87
6. Once you've reviewed these changes and are ready to proceed with migration and upgrade, run $SPLUNK_HOME/bin/splunk start again. Note: You can complete Steps 3 to 5 in one line: To accept the license and view the expected changes (answer 'n') before continuing the upgrade:
To accept the license and begin the upgrade without viewing the changes (answer 'y'):
config splunkd-port default-hostname minfreemb servername datastore-dir exec monitor app tcp
88
udp forward-server deploy-client deploy-poll oneshot user ad registry wmi eventlog perfmon
See "About the CLI" and subsequent topics for details on using the CLI. These topics include the list of commands supported by full Splunk.
89
Set up forwarding
You can use Splunk Web or the Splunk CLI as a quick way to enable forwarding in a Splunk instance. You can also enable, as well as configure, forwarding by creating an outputs.conf file for the Splunk instance. Although setting up forwarders with outputs.conf requires a bit more initial knowledge, there are obvious advantages to performing all forwarder configurations in a single location. Most advanced configuration options are available only through outputs.conf. In addition, if you will be enabling and configuring a number of forwarders, you can easily accomplish this by editing a single outputs.conf file and making a copy for each forwarder. See the topic "Configure forwarders with outputs.conf" for more information. Note: When you install a Splunk instance to be used as a light forwarder, select the forwarder license. You can then enable the light forwarder, as described below. For a heavy forwarder that performs
90
indexing, you need an Enterprise license. For more information, see "Types of Splunk licenses". Set up heavy forwarding with Splunk Web Use Splunk Manager to set up a forwarder. To set up a heavy forwarder: 1. Log into Splunk Web as admin on the server that will be forwarding data. 2. Click the Manager link in the upper right corner. 3. Select Forwarding and receiving in the Data area. 4. Click Add new in the Forward data section. 5. Enter the hostname or IP address for the receiving Splunk instance(s), along with the listening port specified when the receiver was configured. For example, you might enter: receivingserver.com:9997. You can enter multiple hosts. Depending on whether the Automatic load balancing box is checked, this results in either load balancing, in which the forwarder load balances between the hosts, or data cloning, in which all events are sent to all specified hosts. 6. Click Save. You must restart Splunk to complete the process. You can use Splunk Web to perform one other configuration (for heavy forwarders only). To store a copy of indexed data local to the forwarder: 1. From Forwarding and receiving, select Forwarding defaults. 2. Select Yes to store and maintain a local copy of the indexed data on the forwarder. Important: A heavy forwarder has a key advantage over light and universal forwarders in that it can index your data locally, as well as forward the data to another Splunk index. However, local indexing is turned off by default. If you want to store data on the forwarder, you must enable that capability - either in the manner described above or by editing outputs.conf. All other configuration must be done in outputs.conf. Set up light forwarding with Splunk Web Use Splunk Manager to set up a forwarder. To enable light forwarding, you must first enable heavy forwarding on the Splunk instance. Then you separately enable light forwarding. This procedure combines the two processes: 1. Log into Splunk Web as admin on the server that will be forwarding data. 2. Click the Manager link in the upper right corner.
91
3. Select Forwarding and receiving in the Data area. 4. Click Add new in the Forward data section. 5. Enter the hostname or IP address for the receiving Splunk instance, along with the listening port specified when the receiver was configured. For example, you might enter: receivingserver.com:9997. 6. Click Save. 7. Return to Manager>Forwarding and receiving. 8. Click Enable lightweight forwarding in the Forward data section. You must restart Splunk to complete the process. Important: When you enable a light forwarder, Splunk Web is immediately disabled. You will then need to use the Splunk CLI or outputs.conf to perform any further configuration on the forwarder. Therefore, if you want to use Splunk Web to configure your forwarder, do so before you enable light forwarding. Set up forwarding with the Splunk CLI With the CLI, setting up forwarding is a two step process. First you enable forwarding on the Splunk instance. Then you start forwarding to a specified receiver. To access the CLI, first navigate to $SPLUNK_HOME/bin/. This is unnecessary if you have added Splunk to your path. To enable the forwarder mode, enter:
Note: In the CLI enable command, SplunkForwarder represents the heavy forwarder. Important: After this step, make sure you restart your Splunk instance as indicated! Attempting to start forwarding activity using the CLI before restarting splunkd will not work! To disable the forwarder mode, enter:
By disabling forwarding, this command reverts the Splunk instance to a full server. Start forwarding activity from the Splunk CLI To access the CLI, first navigate to $SPLUNK_HOME/bin/. This is unnecessary if you have added Splunk to your path. To start forwarding activity, enter:
92
Note: Although this command ends forwarding activity, the Splunk instance remains configured as a forwarder. To revert the instance to a full Splunk server, use the disable command:
Important: Make sure you restart your Splunk instance as indicated by the CLI to take these changes into account.
Upgrade a forwarder
To upgrade a forwarder to a new version, just upgrade the Splunk instance in the usual fashion. For details, read the upgrade section of the Installation manual. Important: Before doing an upgrade, consider whether you really need to. In many cases, there's no compelling reason to upgrade a forwarder. Forwarders are always compatible with later version indexers, so you do not need to upgrade them just because you've upgraded the indexers they're sending data to. Back up your files first Before you perform the upgrade, we strongly recommend that you back up all of your files. Most importantly, back up your Splunk configuration files. For information on backing up configurations, read "Back up configuration information" in the Admin manual. If you're upgrading a heavy forwarder that's indexing data locally, you also need to back up the indexed data. For information on backing up data, read "Back up indexed data" in the Admin manual. Splunk does not provide a means of downgrading to previous versions; if you need to revert to an older forwarder release, just reinstall it.
For a detailed view of the exact configuration, see the configuration files for the SplunkForwarder application in $SPLUNK_HOME/etc/apps/SplunkForwarder/default.
[pipeline:indexerPipe] disabled_processors= indexandforward, diskusage, signing,tcp-output-generic-processor, syslog-output-generic-processor, http-output-generic-processor, stream-output-processor [pipeline:distributedDeployment] disabled = true [pipeline:distributedSearch] disabled = true [pipeline:fifo] disabled = true [pipeline:merging] disabled = true [pipeline:typing] disabled = true [pipeline:udp] disabled = true [pipeline:tcp] disabled = true [pipeline:syslogfifo]
94
disabled = true [pipeline:syslogudp] disabled = true [pipeline:parsing] disabled_processors=utf8, linebreaker, header, sendOut [pipeline:scheduler] disabled_processors = LiveSplunks
These modules include the deployment server (not the deployment client), distributed search, named pipes/FIFOs, direct input from network ports, and the scheduler. The defaults for the light forwarder can be tuned to meet your needs by overriding the settings in $SPLUNK_HOME/etc/apps/SplunkLightForwarder/default/default-mode.conf on a case-by-case basis. Purge old indexes When you convert a Splunk indexer instance to a lightweight forwarder, among other things, you disable indexing. In addition, you no longer have access to any data previously indexed on that instance. However, the data still exists. If you want to purge that data from your system, you must first disable the SplunkLightForwarder app, then run the CLI clean command, and then renable the app. For information on the clean command, see "Remove indexed data from Splunk" in the Admin manual.
95
96
In this diagram showing a distributed search scenario for access control, a "security" department search head has visibility into all the indexing search peers. Each search peer also has the ability to search its own data. In addition, the department A search peer has access to both its data and the data of department B:
Finally, this diagram shows the use of load balancing and distributed search to provide high availability access to data:
For more information on load balancing, see "Set up load balancing" in this manual. For information on Splunk distributed searches and capacity planning, see "Dividing up indexing and searching" in the Installation manual.
97
User authorization
All authorization for a distributed search originates from the search head. At the time it sends the search request to its search peers, the search head also distributes the authorization information. It tells the search peers the name of the user running the search, the user's role, and the location of the distributed authorize.conf file containing the authorization information.
Cross-version compatibility
98
All search nodes must be 4.x All search nodes must be running Splunk 4.x to participate in the distributed search. Distributed search is not backwards compatible with Splunk 3.x. Compatibility between 4.3 search heads and 4.2 search peers You can run 4.3 search heads across 4.2 search peers, but some 4.3 search-related functionality will not be available. These are the main features that require 4.3 search peers: The spath search command. Bloom filters. Historical backfill for real-time data from the search peers. Also, note that 4.3-specific stats/chart/timechart functionality is less efficient when used against 4.2.x search peers because the search peers can't provide map/reduce capability for that functionality. The functionality affected includes sparklines and the earliest() and latest() functions. Bundle replication warning when running a 4.2 search head against a 4.1.x search peer Bundle replication is the process by which the search head distributes knowledge bundles, containing the search-time configurations, to its search peers. This ensures that all peers run searches using the same configurations, so that, for example, all peers use the same definition of an event type. Starting with 4.2, bundle replication occurs asynchronously. The search head performs bundle replication in a non-blocking fashion that allows in-progress searches to continue on the search peers. When issuing searches, the search head specifies the bundle version that the peers must use to run those searches. The peers will not start using the newly replicated bundles until the search head confirms that all peers have the latest bundle version. However, the new 4.2 search head behavior can cause pre-4.2 search peers to get out of sync and use different bundles when running their searches. If you run a 4.2 search head against 4.1.x search peers, you'll get this warning message: "Asynchronous bundle replication might cause (pre 4.2) search peers to run searches with different bundle/config versions. Results might not be correct." Note: This issue goes away in 4.2.1 search heads. Starting with 4.2.1, the search head will revert to synchronized bundled replication if any of the search peers is pre-4.2.
99
Note: If you do want to use a Splunk instance as both a search head and a search peer, or otherwise perform indexing on the search head, just install the search head as a regular Splunk instance with a normal license, as described in "About Splunk licenses" in the Installation manual. To install a dedicated search head, follow these steps: 1. Determine your hardware needs by reading this topic in the Installation manual. 2. Install Splunk, as described in the topic in the Installation manual specific to your operating system. 3. Add the search head to your Enterprise license group even if it's a dedicated search head that's not expected to index any data. For more information, see "Types of Splunk licenses". 4. Establish distributed search from the search head to all the indexers, or "search peers", you want it to search. See "Configure distributed search" for how to do this. 5. Log in to your search head and do a search for *. Look at your results and check the splunk_server field. Verify that all your search peers are listed in that field. 6. Set up the authentication method you want to use on the search head, just as you would for any other Splunk instance. Do not set up any indexing on your search head, since that will violate its license.
Configuration overview
You set up distributed search on a search head using any of these methods: Splunk Web Splunk CLI
100
The distsearch.conf configuration file Splunk Web is the recommended method for most purposes. The configuration happens on the designated search head. The main step is to specify the search head's search peers. The distributed search capability itself is already enabled by default. Important: Before an indexer can function as a search peer, you must change its password from the default "changeme". Otherwise, the search head will not be able to authenticate against it. Note: Starting with Splunk version 4.3, you can use an IPv6 address when specifying a search peer manually. For more information, see "Configure Splunk for IPv6" in the Admin manual. Aside from changing the password, no configuration is generally necessary on the search peers. Access to the peers is controllable through public key authentication. However, you do need to perform some configuration on the search peers if you mount the knowledge bundles, so that the peers can access them. See "Mount the knowledge bundle" for details.
101
4. Specify "Yes" for the option: "Automatically add other Splunk servers?". 5. Change any other settings as needed and click Save. On each search peer: 1. Log into Splunk Web and click Manager. 2. Click Distributed search in the Deployment area. 3. Click Distributed search setup. 4. Specify "Yes" for the option: "Broadcast to other Splunk servers?" 5. Change any other settings as needed and click Save.
Add a search peer manually Use the splunk add search-server command to add a search peer. When you run this command, make sure you specify the splunkd management port of the peer server. By default, this is 8089, although it might be different for your deployment. Be sure to provide credentials for both the local and the remote machines. Use the -auth flag for your local credentials and the -remoteUsername and -remotePassword flags to specify the remote credentials (in this example, for search peer 10.10.10.10):
splunk add search-server -host 10.10.10.10:8089 -auth admin:password -remoteUsername admin -remotePassword passremote
Each of these commands will elicit a response from the server indicating success and the need to restart the server for the changes to take effect.
102
Edit distsearch.conf
In most cases, the settings available through Splunk Web provide sufficient options for configuring distributed search environments. Some advanced configuration settings, however, are only available through distsearch.conf. Edit this file in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For the detailed specification and examples, see distsearch.conf. For more information on configuration files in general, see "About configuration files". Note: As of 4.1, the blacklistNames and blacklistURLs attributes no longer have any effect on distributed search behavior. Distribute the key files If you add search peers via Splunk Web or the CLI, Splunk automatically handles authentication. However, if you add peers by editing distsearch.conf, you must distribute the key files manually. After enabling distributed search on a Splunk instance (and restarting the instance), you will find the keys in this location: $SPLUNK_HOME/etc/auth/distServerKeys/ Distribute the file $SPLUNK_HOME/etc/auth/distServerKeys/trusted.pem on the search head to $SPLUNK_HOME/etc/auth/distServerKeys/<searchhead_name>/trusted.pem on the indexer nodes.
Support for keys from multiple Splunk instances
Any number of Splunk instances can have their certificates stored on other instances for authentication. The instances can store keys in $SPLUNK_HOME/etc/auth/distServerKeys/<peername>/trusted.pem For example, if you have Splunk search heads A and B and they both need to search Splunk index node C, do the following: 1. On C, create $SPLUNK_HOME/etc/auth/distServerKeys/A/ and etc/auth/distServerKeys/B/. 2. Copy A's trusted.pem to $SPLUNK_HOME/etc/auth/distServerKeys/A/ and B's trusted.pem to $SPLUNK_HOME/etc/auth/distServerKeys/B/. 3. Restart C.
All files that satisfy the whitelist regex will be included in the bundle that the search head distributes to its search peers. If multiple regex's are specified, the bundle will include the union of those files. In this example, the knowledge bundle will include all files with extensions of either ".conf" or ".spec":
The names, such as allConf and allSpec, are used only for layering. That is, if you have both a global and a local copy of distsearch.conf, the local copy can be configured so that it overrides only one of the regex's. For instance, assume that the example shown above is the global copy. Assume you then specify a whitelist in your local copy like this:
The two conf files will be layered, with the local copy taking precedence. Thus, the search head will distribute only files that satisfy these two regex's:
For more information on attribute layering in configuration files, see "Attribute precedence" in the Admin manual. You can also create a replication blacklist, using the [replicationBlacklist] stanza. The blacklist takes precedence over any whitelist. See distsearch.conf in the Admin manual for details. As an alternative to replicating and distributing a knowledge bundle, large or small, to search peers, you can mount the knowledge bundle on shared storage. For more information, read "Mount the knowledge bundle".
For identifying search peers in search queries. serverName is the value of the splunk_server field that you specify when you want to query a specific node. See "Search across one or more distributed search peers" in the User manual. For identifying search peers in search results. serverName gets reported back in the splunk_server field. Note: serverName is not used when adding search peers to a search head. In that case, you identify the search peers through their domain names or IP addresses. The only reason to change serverName is if you have multiple instances of Splunk residing on a single machine, and they're participating in the same distributed search cluster. In that case, you'll need to change serverName to distinguish them.
DistributedBundleReplicationManager - bundle replication to 2 peer(s) took too long (12943ms), bundle file size=296150KB ...
For multiple pooled search heads. For multiple search heads, you can combine mounted bundles with search head pooling. The pooled search heads maintain one bundle on the shared storage, and all search peers access that bundle. This diagram shows search head pooling with a mounted bundle:
For multiple non-pooled search heads. Maintain the knowledge bundle(s) on each search head's local storage (no search head pooling). In this diagram, each search head maintains its own bundle, which each search peer mounts and accesses individually:
There are numerous other architectures you can design with mounted bundles. You could, for example, use shared storage for multiple search heads, but without search head pooling. On the shared storage, you would maintain separate bundles for each search head. The search peers would need to access each bundle individually.
106
In each case, the search peers need access to each search head's $SPLUNK_HOME/etc/{apps,users,system} subdirectories. In the case of search head pooling, the search peers need access to the pool's shared set of subdirectories. Important: The search peers use the mounted directories only when fulfilling the search head's search requests. For indexing and other purposes not directly related to distributed search, the search peers will use their own, local apps, users, and system directories, the same as any other indexer.
shareBundles=false
This stops the search head from replicating bundles to the search peers. 3. Restart the search head. Configure the search peers For each search peer, follow these steps to access the mounted bundle: 1. Mount the bundle directory on the search peer.
107
2. Create a distsearch.conf file in $SPLUNK_HOME/etc/system/local/ on the search peer. For each search head that the peer is connected to, create a [searchhead:<searchhead-splunk-server-name>] stanza, with these attributes:
Note the following: The search peer's configuration file must contain only the [searchhead:<searchhead-splunk-server-name>] stanza(s). The other stanzas in distsearch.conf are for search heads only. To identify the <searchhead-splunk-server-name>, run this command on the search head:
The <path_to_bundles> needs to specify the mountpoint on the search peer, not on the search head. For example, say $SPLUNK_HOME on your search head is /opt/splunk, and you export /opt/splunk/etc via NFS. Then, on the search peer, you mount that NFS share at /mnt/splunk-head. The value of <path_to_bundles> should be /mnt/splunk-head, not /opt/splunk. Important: If multiple search heads will be distributing searches to this search peer, you must create a separate stanza on the search peer for each of them. This is necessary even if you're using search head pooling. 3. Restart the search peer. Note: You can optionally set up symbolic links to the bundle subdirectories (apps,users,system) to ensure that the search peer has access only to the necessary subdirectories in the search head's /etc directory. See the following example for details on how to do this. Example configuration Here's an example of how to set up mounted bundles on shared storage:
Search head
On a search head whose Splunk server name is "searcher01": 1. Mount the search head's $SPLUNK_HOME/etc directory to shared storage with read/write access. 2. In the distsearch.conf file on the search head, set:
[distributedSearch] ...
108
shareBundles = false
For each search peer: 1. Mount the search head's $SPLUNK_HOME/etc directory on the search peer to:
/mnt/searcher01
2. (Optional.) Create a directory that consists of symbolic links to the bundle subdirectories:
/opt/shared_bundles/searcher01 /opt/shared_bundles/searcher01/system -> /mnt/searcher01/system /opt/shared_bundles/searcher01/users -> /mnt/searcher01/users /opt/shared_bundles/searcher01/apps -> /mnt/searcher01/apps
Note: This optional step is useful for ensuring that the peer has access only to the necessary subdirectories. 3. Create a distsearch.conf file in $SPLUNK_HOME/etc/system/local/ on the search peer, with this stanza:
4. Restart the search peer. 5. Repeat the process for each search peer.
Example configuration: Search head pooling with mounted bundles This example shows how to combine search head pooling and mounted bundles in one system. There are two main sections to the example: 1. Set up a search head pool consisting of two search heads. In this part, you also mount the bundles. 2. Set up the search peers so that they can access bundles from the search head pool. The example assumes you're using an NFS mount for the shared storage location.
Part 1: Set up the search head pool
Before configuring the pool, perform these preliminary steps: 1. Enable two Splunk instances as search heads. This example assumes that the instances are named "searcher01" and "searcher02". 2. Set up a shared storage location accessible to each search head. This example assumes that you set up an NFS mountpoint, specified on the search heads as /mnt/search-head-pooling. For detailed information on these steps, see "Create a pool of search heads". Now, configure the search head pool: 1. On each search head, stop splunkd:
2. On each search head, enable search head pooling. In this example, you're using an NFS mount of /mnt/search-head-pooling as your shared storage location:
Among other things, this step creates empty /etc/apps and /etc/users directories under /mnt/search-head-pooling. Step 3 uses those directories. 3. Copy the contents of the $SPLUNK_HOME/etc/apps and $SPLUNK_HOME/etc/users directories on one of the search heads into the /etc/apps and /etc/users subdirectories under /mnt/search-head-pooling:
110
cp -r $SPLUNK_HOME/etc/system /mnt/search-head-pooling/etc/
5. On each search head, edit the distsearch.conf file to set shareBundles = false:
Now, mount the bundles on the search peers. On each search peer, perform these steps: 1. Mount the shared storage location (the same location that was earlier set to /mnt/search-head-pooling on the search heads) so that it appears as /mnt/bundles on the peer. 2. Create a directory that consists of symbolic links to the bundle subdirectories:
3. Create a distsearch.conf file in $SPLUNK_HOME/etc/system/local/ on the search peer, with stanzas for each of the two search heads:
[searchhead:searcher01] mounted_bundles = true bundles_location = /opt/shared_bundles/bundles [searchhead:searcher02] mounted_bundles = true bundles_location = /opt/shared_bundles/bundles
111
You must enable search head pooling on each search head, so that they can share configuration and user data. Once search head pooling has been enabled, these categories of objects will be available as common resources across all search heads in the pool: configuration data -- configuration files containing settings for saved searches and other knowledge objects. search artifacts, records of specific search runs. scheduler state, so that only one search head in the pool runs a particular scheduled search. For example, if you create and save a search on one search head, all the other search heads in the pool will automatically have access to it. Search head pooling makes all files in $SPLUNK_HOME/etc/{apps,users} available for sharing. This includes *.conf files, *.meta files, view files, search scripts, lookup tables, etc. You can also combine search head pooling with mounted knowledge bundles, as described in "Mount the knowledge bundle". Note: All search heads in a pool should be running the same version of Splunk. Be sure to upgrade all of them at once. Important: Most shared storage solutions don't work well across a WAN. Since search head pooling requires shared storage, you generally should not implement it across a WAN.
112
113
3. Stop the search heads Before enabling pooling, you must stop splunkd. Do this for each search head in the pool. 4. Enable pooling on each search head You use the pooling enable CLI command to enable pooling on a search head. The command sets certain values in server.conf. It also creates subdirectories within the shared storage location and validates that Splunk can create and move files within them. Here's the command syntax:
splunk pooling enable <path_to_shared_storage> [--debug]
Note: On NFS, <path_to_shared_storage> should be the NFS's share mountpoint. On Windows, <path_to_shared_storage> should be the UNC path of the CIFS/SMB share. The --debug parameter causes the command to log additional information to btool.log. Execute this command on each search head in the pool. The command sets values in the [pooling] stanza of the server.conf file in $SPLUNK_HOME/etc/system/local. For detailed information on server.conf, look here. 5. Copy user and app directories to the shared storage location Copy the contents of the $SPLUNK_HOME/etc/apps and $SPLUNK_HOME/etc/users directories on an existing search head into the empty /etc/apps and /etc/users directories in the shared storage location. Those directories were created in step 4 and reside under the <path_to_shared_storage> that you specified at that time. For example, if your NFS mount is at /tmp/nfs, copy the apps subdirectories that match this pattern:
$SPLUNK_HOME/etc/apps/*
into
/tmp/nfs/etc/apps
$SPLUNK_HOME/etc/users/*
into
/tmp/nfs/etc/users
Important: You can choose to copy over just a subset of apps and user subdirectories; however, be sure to move them to the precise locations described above. 6. Restart the search heads After running the pooling enable command, restart splunkd. Do this for each search head in the pool.
For details, see alert_actions.conf in the Admin manual. The alert links should now point to the load balancer, not the individual search heads.
115
Disable search head pooling You can disable search head pooling with this CLI command:
splunk pooling disable [--debug]
Run this command for each search head that you need to disable. Important: Before running the pooling disable command, you must stop splunkd. After running the command, you should restart splunkd. Display pooling status You can use the pooling display CLI command to determine whether pooling is enabled on a search head:
splunk pooling display
This example shows how the system response varies depending on whether pooling is enabled:
$ splunk pooling enable /foo/bar $ splunk pooling display Search head pooling is enabled with shared storage at: /foo/bar $ splunk pooling disable $ splunk pooling display Search head pooling is disabled
116
Note: This is not necessary if you make changes by means of Splunk Web Manager or the CLI.
NFS client concurrency limits can cause search timeouts or slow search behavior If searches are timing out or running slowly, you might be exhausting the maximum number of concurrent requests supported by the NFS client. To solve this problem, increase your client concurrency limit. For example, on a Linux NFS client, adjust the tcp_slot_table_entries setting.
Meaning
The specified remote peer is not available. The specified remote peer is not a Splunk server. The specified remote peer is using a duplicate license. Authentication with the specified remote peer failed.
118
119
Then, click on the app to view it. This image shows a somewhat compressed view of the top half of the deployment monitor's home dashboard (the bottom half of the dashboard contains a set of warnings, useful for quick troubleshooting):
120
You can also download the deployment monitor from Splunkbase and install it in the usual manner. Note: The deployment monitor app uses several scheduled searches. Some of these searches run on an hourly basis. After you enable the deployment monitor, you should wait until a few minutes after the new hour has passed (for example, 14:02, 17:02) before launching it for the first time, to ensure that the scheduled searches have run at least once. This will make a huge difference in its performance.
potentially serious conditions. The page itself provides guidance on what each type of warning means. For detailed information on warnings, see the topic "Troubleshoot your deployment". Underneath each chart, there's a link, View results. Click this link to view the raw data behind the chart, as well as the originating search command. Here?s the top half of the home dashboard, with the View results links circled:
Note: You can modify the underlying searches for any of the charts or warnings. For example, you might want to change the scheduled search frequency to suit your specific needs. To access the chart searches, click the View results link below the chart. To access the warning searches, click the green arrow to the right of the warning. In addition to the dashboard, the app includes several other pages that provide detailed information on indexers, forwarders, source types, and licensing. You can reach these pages from links near the top of the dashboard. See the topic "Drill for details".
Types of warnings
Warnings indicate possibly unusual behavior in indexers and forwarders. Here are the possible warnings, along with their likely causes and suggested remedies. Indexer warnings Warning N idle indexer(s) N overloaded indexer(s) Forwarder warnings Warning N missing forwarder(s) N quiet forwarder(s) Likely causes
Splunk failure, network outage, or issue with underlying system. Trivial causes include laptops or virtualized hosts going on/off line. Forwarder believes a source has gone silent.
Likely causes
Possible problem with indexer, network, data sources, or forwarders sending data to the indexer.
Possible remedies
Drill down into the list of indexers and into the detailed information for each indexer to determine root cause and remedy.
Indexer cannot keep up with incoming data flow. This can result in poor search performance and Add more indexers or filter incoming data. data latency.
Possible remedies
Drill down into the list of missing forwarders and into the detailed information for each missing forwarder to determine root cause and remedy. Determine whether the problem lies with the source or with the forwarder. Drill down into the list of forwarders and into the detailed information for each forwarder to determine root cause and remedy. Drill down into the list of forwarders and into the detailed information for each forwarder to determine root cause and remedy.
N forwarder(s) Can indicate a problem with the underlying sending less than system. expected N forwarder(s) sending more than expected
Can indicate an attack, data dump due to application crash, or other system problem. Other possibilities include bad Splunk configuration or a new rogue data source
123
configured by a user. Too much data can result in license violations or indexers being unavailable for searches.
Possible remedies
Drill down into the list of missing source types and into the detailed information for each missing source type to determine root cause and remedy.
N missing source misconfigured. A source type isn't being correctly applied to a source, perhaps because type(s)
the source data has changed.
N source type(s) A source type isn't being correctly applied to Drill down into the list of source types and into some of the data from a source. Network issues the detailed information for each source type to sending less than are preventing data from reaching a Splunk. determine root cause and remedy. expected N source type(s) sending more than expected
Data from one source is being incorrectly Drill down into the list of source types and into source-typed. A system is in an error loop and is the detailed information for each source type to sending many repeated messages. determine root cause and remedy.
124
125
126
If the apps work as expected, you can move them to the appropriate location during the upgrade of your distributed Splunk environment: If you use non-pooled search heads, move the apps to $SPLUNK_HOME/etc/apps on each search head during the search head upgrade process. If you use pooled search heads, move the apps to the shared storage location where the pooled search heads expect to find the apps.
Upgrade a distributed environment with multiple indexers and non-pooled search heads
To maintain availability, Splunk recommends that, when upgrading your distributed Splunk environment with multiple indexers and non-pooled search heads, that you upgrade the search heads first, then upgrade the indexing infrastructure that supports the search heads. If you have deployment servers in the environment, be sure to disable those prior to upgrading your search heads. To upgrade a distributed Splunk environment with multiple indexers and non-pooled search heads: Prepare the upgrade 1. Confirm that any apps that the pooled search heads use will work on the upgraded version of Splunk, as described in "Test your apps prior to the upgrade" in this topic. 2. If you use a deployment server in your environment, disable it temporarily. This prevents the server from distributing invalid configurations to your other Splunk components. 3. Upgrade your deployment server, but do not restart it. Upgrade the search heads 4. Disable and upgrade one of the search heads. Do not allow it to restart. 5. After you upgrade the search head, place the confirmed working apps into the $SPLUNK_HOME/etc/apps directory of the search head. 6. Restart this search head and test for operation and functionality. 7. If there are no problems with the search head, then disable and upgrade the remaining search heads, one by one. Repeat this step until you have reached the last search head in your environment. Optionally, you can test each search head for operation and functionality after you bring it up. 8. Once you have upgraded the last search head, test all of the search heads for operation and functionality. Upgrade the indexers 9. Disable and upgrade your indexers, one by one. You can restart the indexers immediately after you upgrade them.
127
10. Test your search heads to ensure that they find data across all your indexers. 11. After all indexers have been upgraded, restart your deployment server.
Upgrade a distributed environment with multiple indexers and pooled search heads
If your distributed Splunk environment has pooled search heads, the process to upgrade the environment becomes significantly more complex. If your organization has restrictions on downtime, this type of upgrade is best done within a maintenance window. The key concepts to understand about upgrading this kind of environment are: Pooled search heads must be enabled and disabled as a group. The version of Splunk on all pooled search heads must be the same. Apps and configurations that the search heads use must be tested prior to upgrading the search head pool. If you have additional concerns about the guidance shown here, you can log a case via the Splunk Support Portal. To upgrade a distributed Splunk environment with multiple indexers and pooled search heads: Prepare the upgrade 1. Confirm that any apps that the pooled search heads use will work on the upgraded version of Splunk, as described in "Test your apps prior to the upgrade" in this topic. 2. If you use a deployment server in your environment, disable it temporarily. This prevents the server from distributing invalid configurations to your other Splunk components. 3. Upgrade your deployment server, but do not restart it. Upgrade the search head pool 4. Designate a search head (Search Head #1) in your search head pool to upgrade as a test for functionality and operation. Note: Search heads must be removed from the pool temporarily to prevent changes to the search head pool shared storage and to trigger migration of local apps and system settings during the upgrade. If problems occur as a result of the upgrade, the search head can be temporarily used in a non-pooled configuration as a backup. 5. Bring down all of the search heads in your environment. Note: Search capability will be unavailable at this time, and will remain unavailable until you restart all of the search heads after upgrading. 6. Place the confirmed working apps in the search head pool shared storage area.
128
7. Remove Search Head #1 from the search head pool. Note: Review "Configure search head pooling" for instructions on how to enable and disable search head pooling on each search head. 8. Upgrade Search Head #1. 9. Restart Search Head #1 and test for operation and functionality. 10. If the upgraded Search Head #1 functions as desired, bring it down and add it back to the search head pool. 11. Upgrade the remaining search heads in the pool, one by one. Caution: Remove each search head from the search head pool before you upgrade, and add them back to the pool after you upgrade. Do not allow the search heads to restart until you have upgraded them all. 12. Once you have upgraded the last search head in the pool, then restart all of them. 13. Test all search heads for operation and functionality across all of your indexers. Upgrade the indexers 14. Once you have confirmed that your search heads are functioning as desired, choose an indexer to keep the environment running (Indexer #1), and another to upgrade initially (Indexer #2). Note: If you do not have downtime concerns, you do not need to perform this step. 15. Bring down all of the indexers except Indexer #1. Note: If you do not have downtime concerns, you can bring down all of the indexers. 16. Upgrade Indexer #2. 17. Bring up Indexer #2 and test for operation and functionality. Note: Search heads running the latest version of Splunk can communicate with indexers running earlier versions of Splunk. 18. Once you have confirmed proper operation on Indexer #2, bring down Indexer #1. 19. Upgrade Indexer #1 and all of the remaining indexers, one by one. You can restart the indexers immediately after you upgrade them. 20. Confirm operation and functionality across all of your indexers. 21. Restart your deployment server, and confirm its operation and functionality.
129
Upgrade forwarders
When upgrading your distributed Splunk environment, you can also upgrade any universal forwarders in that environment. This is not required, however, and you might want to consider whether or not you need to. Forwarders are always compatible with later version indexers, so you do not need to upgrade them just because you've upgraded the indexers they're sending data to. To upgrade universal forwarders, review the following topics in this manual: Upgrade the Windows universal forwarder Upgrade the universal forwarder on *nix systems
130
131
In this example, each deployment client is a Splunk forwarder that belongs to two server classes, one for its OS and the other for its geographical location. The deployment server maintains the list of server classes and uses those server classes to determine what content to push to each client. For an example of how to implement this type of arrangement to govern the flow of content to clients, see "Deploy several forwarders". A deployment app is a set of deployment content (including configuration files) deployed as a unit to clients of a server class. A deployment app might consist of just a single configuration file, or it can consist of many files. Depending on filtering criteria, an app might get deployed to all clients in a server class or to a subset of clients. Over time, an app can be updated with new content and then redeployed to its designated clients. The deployment app can be an existing Splunk app, or one developed solely to group some content for deployment purposes. Note: The term "app" has a somewhat different meaning in the context of the deployment server from its meaning in the general Splunk context. For more information on Splunk apps, see "What are apps and add-ons?". For more information on deployment servers, server classes, and deployment apps, see "Define server classes". For more information on deployment clients, see "Configure deployment clients". A multi-tenant environment means that you have more than one deployment server running on the same Splunk instance, and each deployment server is serving content to its own set of deployment clients. For information about multi-tenant environments, see "Deploy in multi-tenant environments".
Key terms
Here's a recap of the key definitions: Term
deployment server deployment client server class
Meaning
A Splunk instance that acts as a centralized configuration manager. It pushes configuration updates to other Splunk instances. A remotely configured Splunk instance. It receives updates from the deployment server. A deployment configuration category shared by a group of deployment clients. A deployment client can belong to multiple server classes.
132
A unit of content deployed to one or more members of a server class or classes. A deployment environment involving multiple deployment servers.
Plan a deployment
If you've got Splunk instances serving a variety of different populations within your organization, chances are their configurations vary depending on who uses them and for what purpose. You might have some number of Splunk instances serving the helpdesk team, configured with a specific app to accelerate troubleshooting of Windows desktop issues. You might have another group of Splunk instances in use by your operations staff, set up with a few different apps designed to emphasize tracking of network issues, security incidents, and email traffic management. A third group of Splunk instances might serve the Web hosting group within the operations team. Rather than trying to manage and maintain these divergent Splunk instances one at a time, you can put them into groups based on their use, identify the configurations and apps needed by each group, and then use the deployment server to update their various apps and configurations as needed. In addition to grouping Splunk instances by use, there are other useful types of groupings you can specify. For example, you might group Splunk instances by OS or hardware type, by version, or by geographical location or timezone.
Configuration overview
For the great majority of deployment server configurations, perform these steps: 1. Designate one of your Splunk instances as the deployment server. A deployment server can also be a deployment client, either of itself or of a different deployment server. Note: While in small environments (fewer than 30 deployment clients), it may be perfectly viable to provide the deployment server service from an indexer or search head node, Splunk strongly recommends putting the deployment server on its own Splunk instance when using it with larger
133
numbers of clients. For additional information about deployment server, refer to this topic about the deployment server on the Splunk Community Wiki. 2. Group the deployment clients into server classes. A server class defines the clients that belong to it and what content gets pushed out to them. Each deployment client can belong to multiple server classes. 3. Create a serverclass.conf file on the deployment server. It specifies the server classes and the location of the deployment apps. Refer to "Define server classes" in this manual for details. Note: You can also add server classes and perform simple configuration through Splunk Manager, as described in "Define server classes". 4. Create the directories for your deployment apps, and put the content to be deployed into those directories. Refer to "Deploy apps and configurations" in this manual for details. 5. Create a deploymentclient.conf for each deployment client. It specifies what deployment server the client should communicate with, the specific location on that server from which it should pick up content, and where it should put it locally. Refer to "Configure deployment clients" in this manual for details. 6. For more complex deployments with multiple deployment servers, create a tenants.conf file on one of the deployment servers. This allows you to define multiple deployment servers on a single Splunk instance and redirect incoming client requests to a specific server according to rules you specify. Refer to "Deploy in multi-tenant environments" in this manual for more information about configuring tenants.conf. Most deployment server topologies don't require that you touch tenants.conf, however. For an example of an end-to-end configuration, see "Deploy several forwarders". Note: The deployment server and its deployment clients must agree in the SSL setting for their splunkd management ports. They must all have SSL enabled, or they must all have SSL disabled. To configure SSL on a Splunk instance, set the enableSplunkdSSL attribute in server.conf to "true" or "false".
Restart or reload?
The first time you configure the deployment server and its clients, you'll need to restart all instances of Splunk. When you restart the deployment server, it automatically deploys any new content to its clients. Later on, to deploy new or updated content without restarting, you can use the CLI reload command, as described in "Deploy apps and configurations" in this manual.
134
You define server classes in serverclass.conf on the deployment server. You can also define server classes and perform basic configuration through the Splunk Manager. To perform advanced configuration tasks, however, you'll need to edit serverclass.conf.
Use serverclass.conf
You can define server classes in serverclass.conf on the deployment server. Create one in $SPLUNK_HOME/etc/system/local. For information about configuration files, including an explanation of their basic structure, see "About configuration files" in the Admin manual. If you have multiple server classes, you might want to define one server class that applies to all deployment clients by default. You can then override various aspects of it as needed by defining more specific server classes. For example, if you have a mix of Windows and Linux universal forwarders sending data to the same indexer, you might want to make sure that all forwarders get a common outputs.conf file, but that Windows forwarders get one inputs.conf file while Linux forwarders get a different one. In that case, you could define an "all forwarder" server class that distributes a deployment app containing the outputs.conf file to all forwarders, while also defining Windows and Linux server classes that distribute separate apps containing the different inputs.conf files to the appropriate subsets of forwarders. In addition to defining attributes and content for specific server classes, you can also define attributes that pertain just to a single app within a server class. Important: All configuration information is evaluated numerically and then alphabetically (0-9, then a-z), so nomenclature matters. A deployment client has its own configuration, defined in deploymentclient.conf. The information in deploymentclient.conf tells the deployment client where to go to get the content that the server class it belongs to says it should have. The next section provides a reference for the server class configuration settings. You might want to read it while referring to the set of simple example configurations presented later in this topic. In addition, there are several longer and more complete examples presented later in this manual, including "Deploy several forwarders". What you can configure for a server class You can specify settings for a global server class, as well as for individual server classes or apps within server classes. There are three levels of stanzas to enable this: Stanza
[global]
Meaning
Scope
The global server Attributes defined here pertain to all class. server classes. Individual server class. A serverClass Attributes defined here pertain to just the server class <serverClassName>.
[serverClass:<serverClassName>]
is a collection of apps.
135
Attributes defined here pertain to just the specified deployment app <appName>
To indicate
can be the wildcard character: *, in which case it will cause all content in the repositoryLocation to be added to this serverClass. Attributes in more specific stanzas override less specific stanzas. Therefore, an attribute defined in a [serverClass:<serverClassName>] stanza will override the same attribute defined in [global]. The attributes are definable for each stanza level, unless otherwise indicated. Here are the most common ones: Attribute
repositoryLocation
Default
targetRepositoryLocation
$SPLUNK_HOME/etc/apps
deployment client.
If set to false, the deployment server will look through the list of server classes in this configuration file and stop when it matches the first one to a client. If set to true, the deployment server will continue to look and match. This option is available true because you can define multiple, layered sets of server classes. A serverClass
continueMatching
endpoint
$deploymentServerUri$/services/streams/deplo
filterType
"whitelist" or "blacklist".
whitelist
136
whitelist,
all whitelist filters are applied first, followed by blacklist filters. If filterType is blacklist, all blacklist filters are applied first, followed by whitelist filters. The whitelist setting indicates a filtering strategy that pulls in a subset: Items are not considered to match the stanza by default. Items that match any whitelist entry, and do not match any blacklist entry, are considered to match the stanza. Items that match any blacklist entry are not considered to match the stanza, regardless of whitelist. The blacklist setting indicates a filtering strategy that rules out a subset: Items are considered to match the stanza by default. Items that match any blacklist entry, and do not match any whitelist entry, are considered to not match the stanza. Items that match any whitelist entry are considered to match the stanza. More briefly: whitelist: default no-match -> whitelists enable -> blacklists disable blacklist: default match -> blacklists disable-> whitelists enable
137
You can override this value at the serverClass and serverClass:app levels. If you specify whitelist at the global level, and then specify blacklist for an individual server class, the setting becomes blacklist for that server class, and you have to provide another filter in that server class definition to replace the one you overrode.
whitelist.<n> <n> is a number starting at 0, and incrementing by 1. n/a
blacklist.<n>
Set the attribute to ipAddress, hostname, or clientName: ipAddress is the IP address of the deployment client. Can use wildcards, such as 10.1.1.* hostname is the host name of deployment client. Can use wildcards, such as *.splunk.com. clientName is a logical or tag name that can be assigned to a deployment client in deploymentclient.conf. clientName takes precedence over ipAddress or hostname when matching a client to a filter. Here are some examples: When filterType is whitelist:
This will cause all hosts in fflanda.com, except 'printer' and 'scanner' to match this server class. When filterType is blacklist:
138
This will cause only the 'web' and 'linux' hosts to match the server class. No other hosts will match. You can override this value at the serverClass and serverClass:app levels. Important: Overriding one type of filter (whitelist/blacklist) causes the other to be overridden too. If, for example, you override the whitelist, the blacklist will not be inherited from the parent; you must provide one in the stanza.
Set to "enabled", "disabled", or "noop". This setting specifies whether the deployment client receiving an app should enable or disable the app once it is enabled installed. The "noop" value is for apps that do not require enablement; for example, apps containing only Splunk knowledge, such as event or source types. Matches any of the machine types in a comma-separated list. n/a
stateOnClient
machineTypes
This setting lets you use the hardware type of the deployment client as a filter. This filter will be used only if a client could not be matched using the whitelist/blacklist filters. The easiest way to ensure that Splunk uses machineTypes as the filter is to add this setting to the top of your serverclass.conf file:
[global] blacklist.0=*
Note: machineTypes will have no effect if used in conjunction with whitelist.0=*. This is because whitelist.0=* causes a match on
139
all clients, and machineTypes only gets used if no clients are matched through whitelist or blacklist filters. The value for machineTypes is a comma-separated list of machine types; for example, linux-i686, linux-x86_64, etc. Each machine type is a specific string designated by the hardware platform itself. Note: A machineTypes value can contain wildcards; for example: linux-* or aix-* The method for finding this string on the client varies by platform, but if the deployment client is already connected to the deployment server, you can determine the string's value by using this Splunk CLI command on the deployment server:
This will return a value for utsname that you can use to specify machineTypes. This setting will match any of the machine types in a comma-delimited list. Commonly-used machine types are linux-x86_64, windows-intel, linux-i686, freebsd-i386, darwin-i386, sunos-sun4u, linux-x86_64, sunos-i86pc, freebsd-amd64. Note: Be sure to include the 's' at the end of "machineTypes"
restartSplunkWeb Set to "true" or "false". Determines whether the client's Splunk Web restarts after the installation of a server class or app. Set to "true" or "false". Determines whether the client's splunkd restarts false
restartSplunkd
false
140
after the installation of a server class or app. Note: The most accurate and up-to-date list of settings available for a given configuration file is in the .spec file for that configuration file. You can find the latest version of the .spec and .example files for serverclass.conf in serverclass.conf in the Configuration file reference in the Admin manual, or in $SPLUNK_HOME/etc/system/README. Examples Here are several examples of defining server classes in the serverclass.conf file:
# Example 1 # Matches all clients and includes all apps in the server class [global] whitelist.0=* # whitelist matches all clients. [serverClass:AllApps] [serverClass:AllApps:app:*] # a server class that encapsulates all apps in the repositoryLocation
# Example 2 # Assign server classes based on hostnames. [global] [serverClass:AppsForOps] whitelist.0=*.ops.yourcompany.com [serverClass:AppsForOps:app:unix] [serverClass:AppsForOps:app:SplunkLightForwarder] [serverClass:AppsForDesktops] filterType=blacklist # blacklist everybody except the Windows desktop machines. blacklist.0=* whitelist.0=*.desktops.yourcompany.com [serverClass:AppsForDesktops:app:SplunkDesktop]
# Example 3 # Deploy server class based on machine types [global] # blacklist.0=* at the global level ensures that the machineTypes filter # invoked later will apply. blacklist.0=* [serverClass:AppsByMachineType] # Include all machineTypes used by apps in this server class. # It is important to have a general filter here and a more specific # filter at the app level. An app is matched only if the server class # it is contained in was also succesfully matched. machineTypes=windows-intel, linux-i686, linux-x86_64
141
[serverClass:AppsByMachineType:app:SplunkDesktop] # Deploy this app only to Windows boxes. machineTypes=windows-intel [serverClass:AppsByMachineType:app:unix] # Deploy this app only to unix boxes - 32/64 bit. machineTypes=linux-i686, linux-x86_64
several forwarders".
Meaning
Includes a number of configuration attributes. Most importantly, this stanza specifies where to place downloaded content. Specifies the location of this client's deployment server. "deploymentServer" is the default name for a deployment server.
These are the main attributes available in the [deployment-client] stanza: Attribute
disabled
Default
clientName
deploymentClient
workingDir
$SPLUNK_HOME/var/run/deploy-client
repositoryLocation
Note that, for each app that is downloaded, deployment server may also specify a repository location to install it. The deployment client will use the
serverRepositoryLocationPolicy
$SPLUNK_HOME/etc/apps
deployment server, if and only if it is rooted by $SPLUNK_HOME. acceptAlways - Always accept the repository location supplied by the deployment server. rejectAlways - Always reject the server-supplied repository location. Instead, use the
repositoryLocation
endpoint
Note: The deployment server can specify a different endpoint from which to download each set of content (individual apps, etc). The deployment client uses the $deploymentServerUri$/services/streams/deployment? serverEndpointPolicy atrtribute to determine which value to use.
$deploymentServerUri$ resolves to targetUri, defined in the [target-broker] stanza. $serviceClassName$ and $appName$ mean what they say. Set to "acceptAlways" or "rejectAlways":
serverEndpointPolicy
acceptAlways - Always accept the endpoint supplied by the deployment server. rejectAlways - Always reject the endpoint supplied by the deployment server. Instead, use the endpoint defined by the endpoint attribute.
A number that determines how frequently the deployment client should check for new content.
acceptAlways
phoneHomeIntervalInSecs
60
Attribute
targetUri
Default
n/a
Specifies the deployment server connection information. The management port is typically 8089.
Note: The most accurate and up-to-date list of settings available for a given configuration file is in the .spec file for that configuration file. You can find the latest version of the .spec and .example files in the Configuration file reference in this manual, or in $SPLUNK_HOME/etc/system/README.
Examples
Here are several examples of defining deployment clients through the deploymentclient.conf file:
# # # # # #
Example 1 Deployment client receives apps, placing them into the same repositoryLocation locally, relative to $SPLUNK_HOME, that it picked them up from. This is typically $SPLUNK_HOME/etc/apps. There is nothing in [deployment-client], because the deployment client is not overriding the value set on the deployment server side.
# # # # # # # #
Example 2 Deployment server keeps apps to be deployed in a non-standard location on the server side (perhaps for organization purposes). Deployment client receives apps and places them in the standard location. Note: Apps deployed to any location other than $SPLUNK_HOME/etc/apps on the deployment client side will not be recognized and run. This configuration rejects any location specified by the deployment server and replaces it with the standard client-side location.
# Example 3 # Deployment client should get apps from an HTTP server that is different from the one # specified by the deployment server. [deployment-client] serverEndpointPolicy = rejectAlways endpoint = http://apache.mycompany.server:8080/$serviceClassName$/$appName$.tar [target-broker:deploymentServer] targetUri= deploymentserver.splunk.mycompany.com:8089
# Example 4
145
# Deployment client should get apps from a location on the file system and not from a # location specified by the deployment server. [deployment-client] serverEndpointPolicy = rejectAlways endpoint = file:/<some_mount_point>/$serviceClassName$/$appName$.tar [target-broker:deploymentServer] targetUri= deploymentserver.splunk.mycompany.com:8089
Include the IP address/hostname and management port of the deployment server. The management port is typically 8089. Now restart the deployment client to make the change take effect. To disable a deployment client, run the following command:
./splunk disable deploy-client
just one deployment server. For information about configuration files, including an explanation of their basic structure, see About configuration files in the Admin manual.
Default
whitelist
blacklist.<n>
ipAddress is the IP address of the deployment client. Can use wildcards, such as 10.1.1.* n/a hostname is the host name of deployment client. Can use wildcards, such as *.splunk.com. clientName is a logical or tag name that can be assigned to a deployment client in deploymentclient.conf. clientName takes precedence over ipAddress or hostname when matching a client to a filter.
Example
Here is an example of defining two tenants in the tenants.conf file:
# Define two tenants - dept1 and dept2. # Deployment server configuration for dept1 will be in a matching dept1-serverclass.conf # Deployment server configuration for dept2 will be in a matching dept2-serverclass.conf [tenant:dept1] whitelist.0=*.dept1.splunk.com [tenant:dept2] whilelist.0=*.dept2.splunk.com
147
1. Put the new or updated deployment content into deployment directories. 2. Inform the clients that it's time to download new content.
mkdir ?p $SPLUNK_HOME/etc/deployment-apps/fwd_to_splunk1/default
Place the content for each app into the app's subdirectory. To update the app by with new or changed content, just add or overwrite the files in the directory.
This command notifies and updates only the server class you specify:
For example:
In this example, the command notifies and updates only the clients that are members of the www server class.
148
This lists all the deployment clients and specifies the last time they were successfully synced.
Before reading this example, you should already be familiar with how forwarders and receivers communicate, as described in "About forwarding and receiving" and the topics that follow it. The example sets up the following distributed environment, in which a deployment server deploys configurations for three universal forwarders sending data to two indexers: The deployment server Fflanda-SPLUNK3 (10.1.2.4) manages deployment for these universal forwarders: Fflanda-WIN1 Fflanda-LINUX1 Fflanda-LINUX2 Fflanda-WIN1 forwards Windows event logs to the receiving indexer Fflanda-SPLUNK1 (10.1.2.2). Fflanda-LINUX1 and Fflanda-LINUX2 forward Linux messages to the receiving indexer Fflanda-SPLUNK2 (10.1.2.3). The forwarders are deployment clients, receiving their configuration files from the deployment server. Here's the basic set up:
For information on forwarders (including the universal forwarder), see "About forwarding and receiving" in this manual. For information on monitoring Windows event log data, see "Monitor Windows event log data". For information on monitoring files, such as message logs, see "Monitor files and directories".
150
1. Create the set of server classes and apps for the deployment clients (forwarders) with serverclass.conf. You'll create two server classes to represent the two OS types (Windows, Linux). For each server class, you'll also create two deployment apps, for a total of four apps. The apps encapsulate: The type of input -- the data that the universal forwarder will monitor (Windows event logs or Linux messages). The type of output -- the indexer the forwarder will send data to (SPLUNK1 or SPLUNK2). This configuration results in each universal forwarder belonging to a server class and receiving two apps: one for its inputs and one for its outputs. 2. Create directories to hold the deployment apps. 3. Create configuration files (outputs.conf and inputs.conf) to deploy to the forwarders. These files constitute the deployment apps and reside in the app directories. 4. Restart the deployment server. On each Splunk indexer that will be receiving data from universal forwarders: 1. Enable receiving through the Splunk CLI. 2. Restart the indexer. On each forwarder/deployment client: 1. Create a deploymentclient.conf file that points to the deployment server. 2. Restart the forwarder. The rest is Splunk magic. After a short delay (while the forwarders receive and act upon their deployed content), Windows event logs begin flowing from Fflanda-WIN1 to Fflanda-SPLUNK1, and /var/log/messages begin flowing from Fflanda-LINUX1 and Fflanda-LINUX2 to Fflanda-SPLUNK2.
151
# Server class for Windows [serverClass:Fflanda-WIN] # Filter (whitelist) all Windows clients whitelist.0=Fflanda-WIN* # App for inputting Windows event logs # This app is only for clients in the server class Fflanda-WIN [serverClass:Fflanda-WIN:app:winevt] #Enable the app and restart Splunk, after the client receives the app stateOnClient=enabled restartSplunkd=true # App for forwarding to SPLUNK1 # This app is only for clients in the server class Fflanda-WIN [serverClass:Fflanda-WIN:app:fwd_to_splunk1] stateOnClient=enabled restartSplunkd=true # Server class for Linux [serverClass:Fflanda-LINUX] # Filter (whitelist) all Linux clients whitelist.0=Fflanda-LINUX* # App for inputting Linux messages # This app is only for clients in the server class Fflanda-LINUX [serverClass:Fflanda-LINUX:app:linmess] stateOnClient=enabled restartSplunkd=true # App for forwarding to SPLUNK2 # This app is only for clients in the server class Fflanda-LINUX [serverClass:Fflanda-LINUX:app:fwd_to_splunk2] stateOnClient=enabled restartSplunkd=true
See "Define server classes" for details on how to configure this file. 3. Create the app deployment directories with the following commands:
?p ?p ?p ?p
Each app gets its own directory, so that they can be deployed individually. In addition, the directory name determines the name of the app. 4. Create $SPLUNK_HOME/etc/deployment-apps/fwd_to_splunk1/default/outputs.conf with the following settings:
[tcpout] defaultGroup=splunk1 [tcpout:splunk1] # Specifies the server that receives data from the forwarder.
152
server=10.1.2.2:9997
For information on outputs.conf, see "Configure forwarders with outputs.conf" in this manual. 5. Create $SPLUNK_HOME/etc/deployment-apps/fwd_to_splunk2/default/outputs.conf with the following settings:
For information on monitoring Windows event log data, see "Monitor Windows event log data" in the Getting Data In manual. 7. Create $SPLUNK_HOME/etc/deployment-apps/linmess/default/inputs.conf with the following settings:
For information on monitoring files, such as message logs, see "Monitor files and directories" in the Getting Data In manual. 8. Restart Splunk (the deployment server). Note: Because the deployment server in this example is newly configured, it requires a restart for its configuration to take effect. When clients poll the server for the first time, they'll get all the content designated for them. To deploy subsequent content, you generally do not need to restart the server. Instead, you just invoke the Splunk CLI reload command on the server, as described in "Deploy apps and configurations". By doing so, you ensure that the server will inform its clients of content changes. However, whenever you edit serverclass.conf, you must always restart the deployment server for the configuration changes to take effect. To set up the receiving indexers, Fflanda-SPLUNK1 and Fflanda-SPLUNK2, perform these steps on the machines where you want them to reside:
153
1. Install Splunk, if you haven't already done so. 2. Run the following CLI command:
This specifies that the indexer will serve as a receiver, listening for data on port 9997. With proper authorization, any forwarder can now send data to the receiver by designating its IP address and port number. You must enable the indexers as receivers before you enable the forwarders that will be sending data to them. For more information on enabling receivers, see "Enable a receiver" in this manual. 3. Restart Splunk. On each universal forwarder, Fflanda-WIN1, Fflanda-LINUX1, and Fflanda-LINUX2: 1. Install the forwarder, if you haven't already done so. 2. You can specify the deployment server as part of the installation process, or you can specify it in $SPLUNK_HOME/etc/system/local/deploymentclient.conf after the installation, using these settings:
[deployment-client] [target-broker:deploymentServer] # Specify the deployment server that the client will poll. targetUri= 10.1.2.4:8089
See "Configure deployment clients" for details on how to configure this file. To learn how to specify the deployment server at installation time, see "Universal forwarder deployment overview" and the topics that follow it. 3. Restart the universal forwarder. Each forwarder will now poll the deployment server, download its configuration files, restart, and begin forwarding data to its receiving indexer. For a follow-up example showing how to use the deployment server to update forwarder configurations, see "Example: Add an input to forwarders".
What the communication between the deployment server and its clients looks like
Using the above example, the communication from Fflanda-WIN1 to Fflanda-SPLUNK3 on port 8089 would look like this: Fflanda-WIN1: Hello, I am Fflanda-WIN1.
154
Fflanda-SPLUNK3: Hello, Fflanda-WIN1. I have been expecting to hear from you. I have you down as a member of the Fflanda-WIN server class, and you should have the fwd_to_splunk1 (checksum=12345) and winevt (checksum=12378) apps. Fflanda-WIN1: Hmmm, I don?t have those configs. Using this connection I just opened up to you, can I grab the configs from you? Fflanda-SPLUNK3: Sure! I have them ready for you. Fflanda-WIN1: Thanks! I am going to back off a random number of seconds between 1 and 60 (in case you have a lot of clients that are polling you at the moment) ... OK, now send me the files. Fflanda-SPLUNK3: Done! You now have fwd_to_splunk1-timestamp.bundle and winevt-timestamp.bundle. Fflanda-WIN1: Awesome! I am going to store them in my $SPLUNK_HOME/etc/apps directory. Now I am going to restart myself, and when I come back up I am going to read the configurations that you sent me directly out of the .bundle files, which I know are just tar balls with a different extension. A couple of minutes go by.... Fflanda-WIN1: Hello, I am Fflanda-WIN1. Fflanda-SPLUNK3: Hello, Fflanda-WIN1. I have been expecting to hear from you. I have you down as a member of the Fflanda-WIN server class, and you should have the fwd_to_splunk1 (checksum=12345) and winevt (checksum=12378) Apps. Fflanda-WIN1: Hmmm, I already have both of those, but thanks anyway! Later on, an admin modifies the winevt/inputs.conf file on Fflanda-SPLUNK3 to disable the collection of system event logs, and then runs the CLI command splunk reload deploy-server to force the deployment server to rescan serverclass.conf and the app directories. The next time Fflanda-WIN1 talks to Fflanda-SPLUNK3, it goes like this: Fflanda-WIN1: Hello, I am Fflanda-WIN1. Fflanda-SPLUNK3: Hello, Fflanda-WIN1. I have been expecting to hear from you. I have you down as a member of the Fflanda-WIN server class, and you should have the fwd_to_splunk1 (checksum=12345) and winevt (checksum=13299) Apps. Fflanda-WIN1: Hmmm, I know I have those configs, but the checksum I have for the winevt configs is different than the one you just told me about. Using this connection I just opened up to you, can I grab the updated winevt config from you? Fflanda-SPLUNK3: Sure! I have it ready for you. Fflanda-WIN1: Thanks! I am going to back off a random number of seconds between 1 and 60 (in case you have a lot of clients that are polling you at the moment) ... Ok, now send me the updated config.
155
Fflanda-SPLUNK3: Done! You now have winevt-newer_timestamp.bundle. Fflanda-WIN1: Awesome! I am going to store it my $SPLUNK_HOME/etc/apps directory and move the old winevt.bundle I had out of the way. Now I am going to restart myself, and when I come back up, I'll have the most up-to-date config.
156
Once this command has been run, the deployment server notifies the clients that are members of the Fflanda-LINUX server class of the changed file. Since the change doesn't affect the Fflanda-WIN server class, its members don't need to know about it.
Note the following: The [global] stanza is required. It contains any settings that should be globally applied. In the [global] stanza, whitelist.0=* signifies that all of the deployment server's clients match all server classes defined in this configuration file. In this example, there is just a single server class. The server class name is "lightforwarders". You can call your server classes anything you want. In the [serverClass:lightforwarders] stanza, whitelist.0=* signifies that all clients match the lightforwarders server class. The [serverClass:lightforwarders:app:SplunkLightForwarder] stanza contains settings specific to the SplunkLightForwarder app on the lightforwarders server class. stateOnClient specifies that this app should be enabled on the client when it is deployed. restartSplunkd specifies that when this app is deployed, splunkd should be restarted. See "Define server classes" for details on how to configure this file.
157
Note the following: deploymentServer is the default name for a deployment server. <IP:port> is the IP address and port number for this client's deployment server. The file points the client to the deployment server located at IP:port. There, it will pick up the Splunk light forwarder app, enable it, and restart. See "Configure deployment clients" for details on how to configure this file.
158