https://community.splunk.com/t5/Splunk-Enterprise/Deployment-Server-Preventing-use-of-Local-Created-Apps/m-p/585283#M11588 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/191266">@shocko</a>,</P><P>the correct approach is to create an App (I usually call TA_Forwarders) containing only two files:</P><UL><LI>deploymentclient.conf (to address and manage the connection with the DS),</LI><LI>outputs.conf (to address and manage the connection with the Indexers).</LI></UL><P>In this way you have in only one point the configuratins to reach DS and Indexers, so you can easily make every change (e.g. changeing DS or adding an Indexers).</P><P>If your client is connected to the DS, every added App or every local change is deleted at the first check.</P><P>The only problem is that, when you install a new Forwarder, you have to manually copy this App on the Client and locally restart Splunk, then it's in the managing cycle.</P><P>Ciao.</P><P>Giuseppe</P> Wed, 16 Feb 2022 07:13:06 GMT gcusello 2022-02-16T07:13:06Z https://community.splunk.com/t5/Splunk-Enterprise/Deployment-Server-Preventing-use-of-Local-Created-Apps/m-p/583919#M11489 <P>I'm using Splunk Enterprise 8.2.4 with deployment server. I wat to push out all config/apps to my forwarders to prevent server admins adding config/apps locally. To date system admins have been creating their own inputs and dumping data into main, flooding the license usages etc. and I need to stop this happening. I only want approved configs/inputs etc. to be pushed to the forwarders. As such, I have onboarded all my forwarders to deployment server. My first question is:</P><UL><LI><FONT color="#800080"><STRONG>Q1</STRONG></FONT>: How to prevent a user at the system creating an input and pushing data to the indexers? Is their a config item to only accept deployment server deployed inputs?</LI></UL><P>On a test system I pushed an application I created that disabled the collection of the&nbsp;[WinEventLog://Security]. I found though that that system had received the app but was still pushing those events. Running btool at the forwarder shows:</P><P><FONT color="#FF0000"><EM>C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf [WinEventLog://Security]</EM></FONT><BR /><FONT color="#FF0000"><EM>C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf disabled = 0</EM></FONT></P><P><FONT color="#000000">So this seems to be the config from when the forwarder&nbsp;was installed ad the windows inputs were selected in the forwarder&nbsp;MSI installation&nbsp;UI. </FONT></P><UL><LI><FONT color="#000000"><FONT color="#800080"><STRONG>Q2</STRONG></FONT>: How to override this with deployment server i.e. a locally configured input not necessarily&nbsp;in the apps folder?</FONT></LI></UL><P>&nbsp;</P> Mon, 07 Feb 2022 11:15:21 GMT https://community.splunk.com/t5/Splunk-Enterprise/Deployment-Server-Preventing-use-of-Local-Created-Apps/m-p/583919#M11489 shocko 2022-02-07T11:15:21Z https://community.splunk.com/t5/Splunk-Enterprise/Deployment-Server-Preventing-use-of-Local-Created-Apps/m-p/583925#M11490 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/191266">@shocko</a>,</P><P>if you configured your target server as a Deployment Client, managed by the Deployment Server, each local update on the target server is deleted at the next DS check.</P><P>To avoid every change, it's a good practice to put also deployment_client.conf file in a TA to deploy using the DS.</P><P>Ciao.</P><P>Giuseppe</P> Mon, 07 Feb 2022 11:53:31 GMT https://community.splunk.com/t5/Splunk-Enterprise/Deployment-Server-Preventing-use-of-Local-Created-Apps/m-p/583925#M11490 gcusello 2022-02-07T11:53:31Z https://community.splunk.com/t5/Splunk-Enterprise/Deployment-Server-Preventing-use-of-Local-Created-Apps/m-p/583933#M11492 <P>Thanks for the reply. The file&nbsp;<FONT color="#FF0000"><EM>C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf&nbsp;</EM></FONT>would have existed before the system was onboarded onto the deployment&nbsp;server but even after forwarder check-in it persists. So does this not indicate that only apps deployed by deployment server are enforced and locally created ones are not?</P> Mon, 07 Feb 2022 13:00:31 GMT https://community.splunk.com/t5/Splunk-Enterprise/Deployment-Server-Preventing-use-of-Local-Created-Apps/m-p/583933#M11492 shocko 2022-02-07T13:00:31Z https://community.splunk.com/t5/Splunk-Enterprise/Deployment-Server-Preventing-use-of-Local-Created-Apps/m-p/583936#M11493 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/191266">@shocko</a>,</P><P>there are some internal&nbsp;apps that cannot be used and that aren't managed by the Deployment Server,&nbsp;&nbsp;<EM>SplunkUniversalForwarder in one of them!</EM></P><P><EM>Ciao.</EM></P><P><EM>Giuseppe</EM></P> Mon, 07 Feb 2022 13:10:18 GMT https://community.splunk.com/t5/Splunk-Enterprise/Deployment-Server-Preventing-use-of-Local-Created-Apps/m-p/583936#M11493 gcusello 2022-02-07T13:10:18Z https://community.splunk.com/t5/Splunk-Enterprise/Deployment-Server-Preventing-use-of-Local-Created-Apps/m-p/583951#M11495 <P>OK. That says to me that deployment server can only be used to deliver applications per ya and not to control an arbitrary one ? Or, do you mean that I should deploy this to the SplunkUniversalForwarder app ?</P> Mon, 07 Feb 2022 14:14:03 GMT https://community.splunk.com/t5/Splunk-Enterprise/Deployment-Server-Preventing-use-of-Local-Created-Apps/m-p/583951#M11495 shocko 2022-02-07T14:14:03Z https://community.splunk.com/t5/Splunk-Enterprise/Deployment-Server-Preventing-use-of-Local-Created-Apps/m-p/583953#M11496 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/191266">@shocko</a>.</P><P>DS can be used to deploy and control every App to Clients.</P><P>There are some internal app, installed during installation and that cannot be modified, that aren't managed by DS.</P><P>Every other App is managed by DS.</P><P>Ciao.</P><P>Giuseppe</P> Mon, 07 Feb 2022 14:17:35 GMT https://community.splunk.com/t5/Splunk-Enterprise/Deployment-Server-Preventing-use-of-Local-Created-Apps/m-p/583953#M11496 gcusello 2022-02-07T14:17:35Z https://community.splunk.com/t5/Splunk-Enterprise/Deployment-Server-Preventing-use-of-Local-Created-Apps/m-p/585233#M11583 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;, I don't understand what you man by</P><P><FONT color="#993300"><EM>To avoid every change, it's a good practice to put also deployment_client.conf file in a TA to deploy using the DS.</EM></FONT></P><P><SPAN>Can you elaborate?&nbsp;</SPAN></P> Tue, 15 Feb 2022 20:44:04 GMT https://community.splunk.com/t5/Splunk-Enterprise/Deployment-Server-Preventing-use-of-Local-Created-Apps/m-p/585233#M11583 shocko 2022-02-15T20:44:04Z https://community.splunk.com/t5/Splunk-Enterprise/Deployment-Server-Preventing-use-of-Local-Created-Apps/m-p/585283#M11588 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/191266">@shocko</a>,</P><P>the correct approach is to create an App (I usually call TA_Forwarders) containing only two files:</P><UL><LI>deploymentclient.conf (to address and manage the connection with the DS),</LI><LI>outputs.conf (to address and manage the connection with the Indexers).</LI></UL><P>In this way you have in only one point the configuratins to reach DS and Indexers, so you can easily make every change (e.g. changeing DS or adding an Indexers).</P><P>If your client is connected to the DS, every added App or every local change is deleted at the first check.</P><P>The only problem is that, when you install a new Forwarder, you have to manually copy this App on the Client and locally restart Splunk, then it's in the managing cycle.</P><P>Ciao.</P><P>Giuseppe</P> Wed, 16 Feb 2022 07:13:06 GMT https://community.splunk.com/t5/Splunk-Enterprise/Deployment-Server-Preventing-use-of-Local-Created-Apps/m-p/585283#M11588 gcusello 2022-02-16T07:13:06Z