Automated Install of Splunk Universal Forwarder on Windows using PowerShell - cfloquetprojects/homelab GitHub Wiki

Introduction:

• Installing the Splunk Universal forwarder isn't exactly a complicated process, but automating it with the use of Powershell makes our jobs as Splunk Administrators much easier than doing it manually.
• Today we will be installing the latest version (at the time of this writing is v8.2.6)

Resources:

• Splunk: Universal Forwarder Download
• Splunk Docs: Install a Windows UF from the command line
• Splunk .Conf 2016: Universal Forwarder Security: Don't Input More Than Data Into Your Splunk Environment

Create Initial Zipped Install Folder

• First things first, we need to download the .msi file that can be found at the Splunk Universal Forwarder download page found here (after logging in).

• Place that .msi file as well as the MD5 bits that are available for download within the same download folder, name it whatever you want.

• 💣 Ensure that you name your files as they are shown below exactly, or modify the provided .ps1 file accordingly to point to the correct file names during the installation.

### define important variables

$splufinstaller = ".\spluf-8.2.6.msi"

# extract md5 hash provided by Splunk, trim string, convert to uppercase
$validbits = (Get-Content ".\spluf-8.2.6.msi.md5" -Raw).substring(57).ToUpper()

# retrieve the MD5 hash of the installer, return only hash data
$splufinstallerbits = Get-FileHash $splufinstaller -Algorithm MD5 | Select-Object -ExpandProperty Hash

$dsSocket = "10.0.3.13:8089"

$disableMgmt = ".\disableManagementPort.conf"

Write-Output "Searching for existing Splunk Universal Forwarder package..."

$SPLUF = Get-WmiObject -Class Win32_Product | Where-Object{$_.Name -like "*Forwarder"}

Write-Output "Uninstalling Splunk Universal Forwarder..."

Try {$SPLUF.Uninstall()}

Catch {echo "No Splunk Universal Forwarder Agent Found on Host."}

### Validate Bits of Installer

echo "Local Splunk Installer Hash (MD5): $splufinstallerbits"

echo "Splunk Validated Hash (MD5):       $validbits"

$bitsVerify = Read-Host "Please Validate the Hashes Provided Above (Y/N):"

### Install Splunk Universal Forwarder

if ($bitsVerify -eq "Y"){

Write-Output "Installing Splunk Universal Forwarder v8.2.6"

msiexec.exe /i spluf-8.2.6.msi AGREETOLICENSE=Yes DEPLOYMENT_SERVER="10.0.3.13:8089" LAUNCHSPLUNK=1 SERVICESTARTTYPE=auto SPLUNKUSERNAME=spladmin GENRANDOMPASSWORD=1 MINPASSWORDLEN=16 MINPASSWORDDIGITLEN=4 MINPASSWORDLOWERCASELEN=4 MINPASSWORDUPPERCASELEN=4 MINPASSWORDSPECIALCHARLEN=4 /quiet /L*v uf-install-logfile.txt | Out-Null

Copy-Item ".\disableManagementPort.conf" -Destination "C:\Program Files\SplunkUniversalForwarder\etc\system\local\disableManagementPort.conf"

Write-Output "Successfully Installed Splunk Universal Forwarder v8.2.6"}

else { break }