Skip to content

Instantly share code, notes, and snippets.

@mhmdio

mhmdio/splunk-forwarder.md

Last active September 10, 2021 08:09
Show Gist options
  • Save mhmdio/87e67692d921b0174e918ee9a77cbbee to your computer and use it in GitHub Desktop.
Save mhmdio/87e67692d921b0174e918ee9a77cbbee to your computer and use it in GitHub Desktop.
Download ZIP
SplunkForwarder
Raw
splunk-forwarder.md

Splunk Forwarder

cat > user-seed.conf <<EOF
[user_info]
USERNAME = csiem
PASSWORD = xxx
EOF

echo $PASS | sudo -S cp user-seed.conf $SPLUNK_HOME/etc/system/local/user-seed.conf

https://d7wz6hmoaavd0.cloudfront.net/products/universalforwarder/releases/8.2.2/windows/splunkforwarder-8.2.2-87344edfcdb4-x64-release.msi

export PASS=xxx
export SPLUNK_HOME=/opt/splunkforwarder
export SPLUNK_TAR=splunkforwarder-8.2.1-ddff1c41e5cf-Linux-x86_64.tgz 
export SPLUNK_URL='https://read:read@iccautccmd01.svs.unicc.org/repo/repository/raw-dev/tar/splunkforwarder-8.2.1-ddff1c41e5cf-Linux-x86_64.tgz'
export http_proxy=http://wwwproxy.svc.unicc.org:8080
export https_proxy=http://wwwproxy.svc.unicc.org:8080
export no_proxy="127.0.0.1, localhost, .svs.unicc.org, .svc.unicc.org, .unicc.org"
clear

cd /tmp

echo $PASS | sudo -S wget -O $SPLUNK_TAR $SPLUNK_URL

echo $PASS | sudo -S tar xvzf $SPLUNK_TAR -C /opt

cd $SPLUNK_HOME/bin/

echo $PASS | sudo -S ./splunk start --accept-license # --answer-yes
csiem
xxx

sudo ./splunk set deploy-poll icc-hfw0.svc.unicc.org:8089
csiem
xxxx

echo $PASS | sudo -S ./splunk add forward-server icc-hfw4.svc.unicc.org:9997

echo $PASS | sudo -S ./splunk enable boot-start

echo $PASS | sudo -S ./splunk restart
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment