Author: Ryan Faircloth
Summary: Using repositories for version managment of the Splunk Universal Forwarder assists in ensuring managed Ubuntu systems are using the approved version of the software at all times.
Setup the repository server
- Install reprepro and nginx
sudo apt-get install reprepro nginx packaging-dev -y
- Create a user to work with the repository
adduser --disabled-password --disabled-login --home /srv/reprepro --group reprepro
-
Change user to our reprepro user all commands for the repository should be executed using this ID
sudo su - reprepro
Generate GPG Keys
-
Change user to our reprepro user all commands for the repository should be executed using this ID
sudo su - reprepro
- Create the default configuration for gpg by running the command
gpg --list-keys
- Edit ~/.gnupg/gpg.conf
- uncomment the line
no-greeting
- add the following content to the end of the file
# Prioritize stronger algorithms for new keys. default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 BZIP2 ZLIB ZIP UNCOMPRESSED # Use a stronger digest than the default SHA1 for certifications. cert-digest-algo SHA512
- uncomment the line
-
Generate a new key with the command
gpg --gen-key
- Select the folowing options
- Type of key “(1) RSA and RSA (default)”
- Key size “4096”
- Expires “10y”
- Confirm “Y”
- Real Name “Splunk local repository”
- Email address on repository contact this generally should be an alias or distribution list
- Leave the comment blank
- Confirm and “O” to Okay
- Leave passphrase blank and confirm, a key will be generated not the sub KEY ID in the following example * E507D48E *
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2025-05-24
pub 4096R/410E1699 2015-05-27 [expires: 2025-05-24]
Key fingerprint = 7CB8 81A9 E07F DA7B 83FF 2E1B 8B31 DA83 410E 1699
uid Splunk local repository <repo@example.com>
sub 4096R/E507D48E 2015-05-27 [expires: 2025-05-24]
-
Export the signing keys public component save this content for use later
gpg --export --armor KEY_ID >~/repo.pub
Configure Prerepro
-
Change user to our reprepro user all commands for the repository should be executed using this ID
sudo su - reprepro
-
Create the directory structure
sudo mkdir -p /srv/reprepro/ubuntu/{conf,dists,incoming,indices,logs,pool,project,tmp}
-
Change directories to the new repository
cd /srv/reprepro/ubuntu/
-
Edit the file
/srv/reprepro/ubuntu/conf/distributions
-
Update the file contents
Origin: SplunkEnterprise Label: SplunkEnterprise Codename: ponies Architectures: i386 amd64 source Components: main Description: Splunk Enterprise and Universal Forwarders for Debian based systems SignWith: YOUR-KEY-ID
- Edit the file
/srv/reprepro/ubuntu/conf/options
-
Update the file contents
ask-passphrase basedir .
Load the packages
Load the packages using the following commands syntax replace package.deb with the correct path to the splunkforwarder deb file
reprepro -S utils -P standard includedeb ponies package.deb
Setup the web server
- Create the file
/etc/nginx/sites-available/vhost-packages.conf
- Use the following content replacing package.local with the fqdn of the repository host
server { listen 80; server_name packages.internal; access_log /var/log/nginx/packages-access.log; error_log /var/log/nginx/packages-error.log; location / { root /srv/reprepro; index index.html; } location ~ /(.*)/conf { deny all; } location ~ /(.*)/db { deny all; } }
- Increase the server name hash bucket by creating the following file
/etc/nginx/conf.d/server_names_hash_bucket_size.conf
-
Use the following content
server_names_hash_bucket_size 64;
-
Enable the new configuration
sudo ln -s /etc/nginx/sites-available/vhost-packages.conf /etc/nginx/sites-enabled/vhost-packages.conf sudo service nginx reload
Configure the repository
- Edit the file
/etc/apt/sources.list.d/packages.internal.list
- Use the following content
deb http://packages.internal/ubuntu/ ponies main
- Import the public key
sudo apt-key add /tmp/repo.pub
- Update the repository cache
sudo apt-get update
Install the Splunk Universal Forwarder
Run the following command
sudo apt-get install splunkforwarder
Configure the universal forwarder
- Using best practices to manually create the org_deploymentclient configuration app
- Using RPM based configuration package
- Using Configuration Managment system such as Puppet or Chef
Create and install a configuration package for the Universal Forwarder
In the following procedure “org” should be replace with the abbreviate of the organization using the configuration.
- Create the paths
/srv/reprepro/org_debs/
-
Create the path for the first version of the package ie
mkdir org-splunk-ufconfig-1
-
Change to the new directory
-
Create the following structure
├── DEBIAN │ ├── control (file) │ ├── postinst (file) │ ├── preinst (file) │ └── prerm (file) └── opt └── splunkforwarder └── etc └── apps └── org_all_deploymentclient └── default ├── deploymentclient.conf (file)
- Edit the DEBIAN/control file as follows
Package: org-splunk-ufconfig
Section: base
Priority: standard
Version: 1
Architecture: all
Maintainer: Your Name <you@email.com>
Depends: splunkforwarder (>=6.0.0)
Description: <insert up to 60 chars description>
<insert long description, indented with spaces>
-
Edit the DEBIAN/postinst
#!/bin/bash /opt/splunkforwarder/bin/splunk enable boot-start -user splunk --accept-license --answer-yes service splunk start
- Edit the DEBIAN/preinst
#!/bin/bash file="/etc/init.d/splunk" if [ -f "$file" ] then echo "$file found." service splunk stop else echo "$file not found." fi
- Edit the DEBIAN/prerm
#!/bin/bash file="/etc/init.d/splunk" if [ -f "$file" ] then echo "$file found." service splunk stop /opt/splunkforwarder/bin/splunk disable boot-start else echo "$file not found." fi
- Update the contents of deploymentclient.conf with the appropriate information for you installation
-
Add additional content as required for your deployment
-
Change directories up to the parent of org-splunk-ufconfig–1
-
Create the debian package with the command
dpkg-deb --build org-splunk-ufconfig-1/
-
Change to the repository directory
/srv/reprepro/ubuntu
-
Store the new package in the repository
reprepro -S utils -P standard includedeb ponies /srv/reprepro/org_debs/org-splunk-ufconfig-1.deb
-
Install the new package on the client using the command
sudo apt-get install org-splunk-ufconfig
this will install the splunk forwarder package if has not yet been installed.