Splunk - Add "monitor" to Splunk Forwarders
Log In or Register to download the BES file, and more.

0 Votes

Description

Task used to deploy a new monitor for logs in Splunk. The task will ask the user for the following data:

  1. It will ask for the full path to the log/directory to be monitored.
  2. It will ask what the sourcetype will be.
  3. It will ask for the extension of the log to add it to a whitelist.
  4. It will ask for the RFC number this monitor is being added under. This is to keep a record as well as give an avenue for rolling back if necessary.

NOTE: The last query is used for the sake of rolling back a monitor if it causes issues. "RFC" is a term used in the environment this task was created in. It can be anything the user wants to use in order to keep a record of previous versions of the "inputs.conf" file.


Property Details

ID4003
StatusProduction - Fully Tested and Ready for Production
TitleSplunk - Add "monitor" to Splunk Forwarders
DomainBESC
SourceJames Maple
Source Release Date2/26/2015 12:00:00 AM
Keywordssplunk forwarder, monitor, inputs.conf
Added by on 3/20/2015 5:31:37 AM
Last Modified by on 3/20/2015 6:43:01 AM
Counters 4132 Views / 8 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 0 ratings. ** Log In or Register to add your rating.

Relevance

Used in 2 fixlets   * Results in a true/false
Show indented relevance
if name of operating system contains "Win" then exists service "SplunkForwarder" else if name of operating system contains "Linux" then exists package "splunkforwarder" of rpm else if name of operating system contains "Sun" then exists pkinfo "splunkforwarder" of pkgdb else false

Actions

Action 1 (default)

Action Link Click here to deploy this action.
Script Type BigFix Action Script
//Get configuration and RFC number from the user. The RFC number is associated with the backup file generated of the inputs.conf file
action parameter query "sourcePath" with Description "Enter the full path to the log/folder you want monitored."
action parameter query "sourceType" with Description "Enter the sourcetype to be used for these logs."
action parameter query "whitelist" with Description "Enter the extension used for this log. (Example: .log, .txt, etc.)"
action parameter query "rfcReference" with Description "Enter the change control number this is approved under. (Example: CXXXXXXX)"

//Define path to server.conf file needing to be altered
if {name of operating system contains "Win"}
parameter "filePath"="C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf"
elseif {name of operating system does not contain "Win"}
parameter "filePath"="/opt/splunkforwarder/etc/system/local/inputs.conf"
endif

//Define text parameters to be replaced
if {name of operating system contains "Win"}
parameter "textToReplace"="{line 2 of file "C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf"}"
elseif {name of operating system does not contain "Win"}
parameter "textToReplace"="{line 2 of file "/opt/splunkforwarder/etc/system/local/inputs.conf"}"
endif

parameter "newtext"="host = {computer name}"

//Check that a backup for that RFC number exists
continue if {not exists file ((parameter "filePath" of action as string) & ".bak." & (parameter "rfcReference" of action as string))}

//Stop the Splunk service
if {name of operating system contains "Win"}
dos net stop splunkforwarder
elseif {name of operating system contains "Linux"}
delete __appendfile
appendfile service splunk stop
wait chmod +x "{(client folder of current site as string) & "/__appendfile"}"
run "{(client folder of current site as string) & "/__appendfile"}"
elseif {name of operating system contains "Sun"}
delete __appendfile
appendfile /opt/splunkforwarder/bin/splunk stop
wait chmod +x "{(client folder of current site as string) & "/__appendfile"}"
run "{(client folder of current site as string) & "/__appendfile"}"
endif

//Delete __appendfile
delete __appendfile

//Iterate through the file adding the text
appendfile {concatenation "%0d%0a" of ( if (it contains (parameter "textToReplace" of action as string)) then ((preceding text of first (parameter "textToReplace" of action as string) of it) & (parameter "newtext" of action) & ("%0d%0a%0d%0a#Change Control: " & (parameter "rfcReference" of action as string) & "%0d%0a[monitor://" & (parameter "sourcePath" of action as string) & "]%0d%0asourcetype = " & (parameter "sourceType" of action as string) & "%0d%0adisabled = 0%0d%0awhitelist = \" & (parameter "whitelist" of action as string) & "$") as string ) else it ) of lines of file (parameter "filePath" of action as string)}

//Backup the old file
copy "{parameter "filePath"}" "{parameter "filePath"}.bak.{parameter "rfcReference"}"

//Replace with the new file
delete "{parameter "filePath"}"
move __appendfile "{parameter "filePath"}"

//Allow the new file to be read and edited by everyone
if {windows of operating system}
waithidden cmd.exe /C cacls "{parameter "filePath"}" /e /p Everyone:f
elseif {not windows of operating system}
wait chmod 644 "{parameter "filePath"}"
endif

//Clear any locked files
if {name of operating system contains "Win"}
dos "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" clean locks
elseif {name of operating system contains "Linux"}
delete __appendfile
appendfile ./splunk clean locks
wait chmod +x "{(client folder of current site as string) & "/__appendfile"}"
run "{(client folder of current site as string) & "/__appendfile"}"
elseif {name of operating system contains "Sun"}
delete __appendfile
appendfile /opt/splunkforwarder/bin/splunk clean locks
wait chmod +x "{(client folder of current site as string) & "/__appendfile"}"
run "{(client folder of current site as string) & "/__appendfile"}"
endif

//Start the Splunk service
if {name of operating system contains "Win"}
dos net start splunkforwarder
elseif {name of operating system contains "Linux"}
delete __appendfile
appendfile service splunk start
wait chmod +x "{(client folder of current site as string) & "/__appendfile"}"
run "{(client folder of current site as string) & "/__appendfile"}"
elseif {name of operating system contains "Sun"}
delete __appendfile
appendfile /opt/splunkforwarder/bin/splunk start
wait chmod +x "{(client folder of current site as string) & "/__appendfile"}"
run "{(client folder of current site as string) & "/__appendfile"}"
endif
Success Criteria

This action will be considered successful when the applicability relevance evaluates to false.


Sharing

Social Media:
Share this page on Yammer

Comments

Log In or Register to leave comments!
jimwald -
It should be noted, Splunk has now integrated a forwarder management system that allows for seamless deployment updates to be sent using the Splunk deployment server. This fixlet should be used if there is no deployment server configured.