This role will deploy the Splunk universal forwarder.
This role is tested on Ubuntu 22.04 & 20.04, Oracle Linux 8 & 9, AmazonLinux 2023, and Debian 12 but should probably work on any systemd based system. The previous version of this role is available as a tag (v1.0)
For most people, the default variables that are set should be fine, but there are use cases for changing them. They are:
splunk_forwarder_user # Default User (splunk)
splunk_forwarder_group # Default Group (splunk)
splunk_forwarder_uid # Default UID (10011)
splunk_forwarder_gid # Default GID (10011)
splunk_release # Default Release Version (7.1.3)
splunk_url # Default Download URL
splunk_forwarder_rpm # Default Splunk RPM Name
splunk_forwarder_deb # Default Splunk Deb Name
splunk_rpm # Default RPM Full URL
splunk_deb # Default Deb Full URL
splunk_deb_checksum # Default Deb Checksum
splunk_rpm_checksum # Default RPM Checksum
splunk_forwarder_input_blacklist # Default blacklist for inputs.conf
splunk_forwarder_manage_inputs # Default whether to manage inputs.conf (true)
splunk_forwarder_manage_ouputs # Default whether to manage ouputs.conf (true)
splunk_forwarder_install_with_package_manager # Default whether to use a package manager (false)
splunk_forwarder_packages # Default package manager packages ([splunkforwarder])
Within your playbook, you should set the following variables:
splunk_forwarder_admin_user: # Set the administrative user for the forwarder
splunk_forwarder_admin_pass: # Set the administrative password for the forwarder
splunk_forwarder_depl_server: # Set to the URL:Port of your splunk deployment server i.e. "splunk-mgt:8089" (optional)
splunk_forwarder_indexer: # Set to the URL:PORT of your splunk indexer i.e. "splunk-indexer:9997"
splunk_forwarder_index: # Set to the index that the forwarder should use i.e. "default"
splunk_forwarder_sourcetype: # Set the Source type i.e. "nginx"
You also need to set what logs to forward. You can do so using a list:
splunk_forwarder_logs:
- /var/log/nginx/access.log
- /var/log/nginx/error.log
You must have a splunk indexer running in your environment.
You should define the required variables in your playbook and call the role:
- hosts: nginx
remote_user: ec2-user
become: True
vars:
splunk_forwarder_indexer: "splunk-indexer:9997"
splunk_forwarder_index: "prodapps"
splunk_forwarder_sourcetype: "nginx"
splunk_forwarder_logs:
- /var/log/nginx/access.log
- /var/log/nginx/error.log
roles:
- splunk-forwarder
If you want to run this against an AmazonLinux instances, add the following to your playbook, otherwise it will fail.:
pre_tasks:
- set_fact: ansible_distribution_major_version=6
when: ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA"
MIT
Mark Honomichl aka AustinCloudGuru Created in 2016
