Implementing Windows Support for Client Only

[JonoRicci]

Myself and @jjm have a need to install the Splunk Universal Forwarder on Windows.

I am planning to submit a pull request soon but I thought I would raise an issue to start a discussion in case there are any details or thoughts we are missing.

Desired Behaviour

The chef-splunk cookbook will install only the Universal Forwarder on:

• Windows Server 2012
• Windows Server 2012 R2
• Windows Server 2016
• Windows Server 2019

We only desire to install the Universal Forwarder and not the Splunk server.

At this moment I'm unsure if I need to make additional changes if sending data to Splunk Cloud rather than Splunk Enterprise, and whether that's in the scope of this cookbook.

References

• Previous issue opened 2014 (windows support #20)
• Splunk Docs - Install a Windows universal forwarder from the command line
• Splunk Docs - Install a Windows universal forwarder from an installer

[haidangwa]

Hi @JonoRicci,

Sorry for the delayed response. Things have been crazy busy at work. First, the chef-splunk cookbook doesn't officially support Windows, but I can see where it would be useful to setup as a client to ship logs to a Splunk Server, regardless of the platform.

For my project at work, I created a wrapper cookbook that sets attributes needed to setup a SplunkForwarder. Specifically, these attributes are for my organization, so nothing that I can share here. However, I found that wrapping the chef-splunk cookbook and setting attributes specifically for a Splunk Forwarder install was a way to distribute it to my internal customers without exposing them to all the server-specific internals of the chef-splunk cookbook.

Some of the attributes that I set in my wrapper cookbook for splunk UF installation are:

default['chef-vault']['databag_fallback'] = true
default['splunk']['accept_license'] = true
default['splunk']['forwarder'] = {
  'url' => value_for_platform_family(
    %w(rhel fedora suse amazon) => 'https://download.splunk.com/products/universalforwarder/releases/8.0.4/linux/splunkforwarder-8.0.4-767223ac207f-linux-2.6-x86_64.rpm',
    'debian' => 'https://download.splunk.com/products/universalforwarder/releases/8.0.4/linux/splunkforwarder-8.0.4-767223ac207f-linux-2.6-amd64.deb',
    'windows' => 'https://download.splunk.com/products/universalforwarder/releases/8.0.4/windows/splunkforwarder-8.0.4-767223ac207f-x64-release.msi'
  ),
  'version' => '8.0.4',
}

default['twdc_splunk_client']['deployment_client_name'] = node.name
default['twdc_splunk_client']['deployment_server_client_endpoint'] = 'your.deployment-server.endpoint.com:8089'

We also install a custom Splunk app that merely consists of a deploymentclient.conf.erb to configure the UF for our internal deployment server endpoint.

recipes/default.rb:

node.override['splunk']['is_server'] = false

chef_gem 'iniparse'
require 'iniparse'

%w(user install_forwarder).each do |r|
  include_recipe "chef-splunk::#{r}"
end

splunk_app 'deploymentclient_base' do
  templates ['deploymentclient.conf.erb']
  template_variables(
    'deploymentclient.conf.erb' => {
      'deployment_client_name' => node['deployment_client_name'],
      'deployer_url' => node['deployment_server_client_endpoint'],
    }
  )
  remote_directory 'deploymentclient_base'
  action :install
  notifies :restart, 'service[splunk]'
end