The Splunk Remote Upgrader (RU) for Linux Universal Forwarders is an Splunkbase app to remotely upgrade your fleet of universal forwarders (UF) for Linux. It monitors for new universal forwarder packages in a predefined folder and upgrades the UF with new packages.
For the distribution of the Upgrader and the universal forwarder, you can use either the Deployment Server or deliver the package manually or with existing automation. You may handle various upgrade use cases: UF upgrade only, RU upgrade only, and UF & RU upgrade.
Tested performance benchmarks of the RU: CPU usage: < 1%, Memory usage: 3 ~ 4 MB.
The Remote Upgrader (RU) for Linux is designed to update the software versions of unified forwarders installed on Linux machines. Its primary purposes are to reduce the time Splunk admins spend on upgrades (improving maintenance), increase the frequency of updates (enhancing security and reducing vulnerabilities), and enable the rapid implementation of new features available in updated versions of unified forwarders. The RU is invaluable for users needing to upgrade data collection agents via Splunk's central agent management server (the Deployment Server).
I can already see a long list of advantages offered by the Remote Upgrader, along with its promising extension capabilities:
What is truly exciting is the potential for Splunk users to expand this list even further with new improvement ideas. Splunk is fully committed and enthusiastic about this collaborative development journey. Together, we (your team and the Splunk team) will not only create an optimal Remote Upgrader system but also establish best practices for integrating and utilizing this product alongside automation tools (e.g., Infrastructure as Code apps, etc.). Ultimately, this collaboration will result in a comprehensive and powerful solution.
You install the Updater (RU) on the same Linux instance (machine) as your Unified Forwarder. The Updater monitors a predefined folder, /tmp/SPLUNK_UPDATER_MONITORED_DIR, for new UF packages. When a new UF package is detected, the RU automatically upgrades the UF with that package.
The UF installation package is delivered to the UF through the Deployment Server, encapsulated within the delivery app (a typical scripted Splunk app) and placed in the directory $SPLUNK_HOME/etc/apps. Once the delivery app is automatically initiated on the UF, it copies the UF installation package (comprising the .tgz file and its signature .sig file) into the RU's predefined folder, /tmp/SPLUNK_UPDATER_MONITORED_DIR.
Since the RU triggers installation based on monitoring the predefined folder (and not the UF app folder), a simple scripted delivery app is required.
Fig. UF upgrade via Deployment Server
Due to operating system constraints, the Remote Upgrader must be installed manually and executed with elevated privileges (sudo or root) for the first time. This change enhances security while enabling the Unified Forwarder to function as a non-root application.
Please note that the described solution includes the following packages:
An important detail about these packages is that during the installation process, you only need two packages: the Remote Upgrader for Linux and the delivery app containing the encapsulated UF installation package. The first package is part of the application downloaded from Splunkbase. The second package is assembled using the application downloaded from Splunkbase and the UF installation package obtained from splunk.com.
Remote Upgrader for Linux: When you download the RU application from Splunkbase, you will receive the complete directory structure of a typical Splunk application, with the RU package incorporated as a single .tgz file (e.g., "splunk-upgrader-100.tgz" in the initial version of the RU). Please note that only the RU installation .tgz file is required for installation; the full application structure will be utilized later for upgrading UFs.
Delivery app: This app has the structure of a typical Splunk application, including components such as the delivery script (.sh file), the UF installation file (.tgz file), and the UF signature file (.sig file). The UF installation and signature files must be downloaded from splunk.com and added to the RU application downloaded from Splunkbase.
UF installation package: This consists of the UF installation file (.tgz file) and the UF signature file (.sig file). These files must also be downloaded from splunk.com and included in the RU application from Splunkbase.
The diagram below illustrates the structure of the RU for Linux application (version 1.0.0) as downloaded from Splunkbase, including the integrated 9.4.0 UF installation package.
Fig. Structure of the RU (ver. 1.0.0) for Linux app downloader from Splunkbase (with UF 9.4.0)
Below, you will find a condensed installation manual outlining how to distribute the Remote Upgrader package via the Deployment Server and how to upgrade Unified Forwarders using the same method. This section aims to provide you only with an overview of the distribution and installation process.
Distribute the Remote Upgrader package using DS
Upgrade UF using DS and the Remote Upgrader
For a detailed installation guide, please refer to the Splunk documentation: https://docs.splunk.com/Documentation/Forwarder/1.0.1/ForwarderRemoteUpgradeLinux/About
We are currently developing Remote Upgrader for Windows, modeled after the efficiency of Remote Upgrader for Linux. The release is planned once the solution is positively tested, and then it will be officially scheduled. Following this launch, we aim to continue refining the solution to achieve even greater improvements. Stay interested, look forward to upcoming advancements, and stay in touch with us.
We welcome your suggestions and ideas and look forward to collaborating with you. Your input will be instrumental in shaping this groundbreaking tool into a unified, seamless, versatile, and reliable solution for managing system upgrades efficiently.
The world’s leading organizations rely on Splunk, a Cisco company, to continuously strengthen digital resilience with our unified security and observability platform, powered by industry-leading AI.
Our customers trust Splunk’s award-winning security and observability solutions to secure and improve the reliability of their complex digital environments, at any scale.