topic Re: Configuring Forwarders with Deployment server in Splunk Enterprise

Configuring Forwarders with Deployment server

johnblakley — Tue, 29 Sep 2020 15:44:52 GMT

All,

I have a successfully deployed app based on the Splunk documentation on how to create "send_to_indexer" app. The client is checking in, but I'm unable to figure out how I can modify the client.

What I'm looking for is this. I manually installed the UF on the server and selected the Security logs. I'm getting those with no issues. Now I want to select the System logs, and I was wanting to do this by modifying the app and configure the UF, but I'm unable to find any documentation on doing it this way - maybe the deployment server isn't used for this?

Is there a way to modify what logs you're collecting from the deployment server, and the index that the deployment servers send to without having to manually update all servers?

Re: Configuring Forwarders with Deployment server

s2_splunk — Tue, 29 Sep 2020 15:44:55 GMT

That's exactly what the deployment server is for.

You configure deploymentclient.conf on the UF to point to your DS
You manage your app on the deployment server in the documented directory (../etc/apps/deployment-apps)
You setup a serverclass.conf file that maps deployment apps to serverclasses (groups of forwarders, or individual ones)
You run splunk reload deploy-server whenever a deployment app change needs to be distributed
The deployment clients checkin and download what's relevant to them based on their serverclass membership

You say you have a send_to_indexer app. Do this:

make a small change to a file in that app (add a comment or sumsuch) in the deployment-apps directory
run ./splunk reload deploy-server
Check your UF's ./etc/apps/send_to_indexer directory to validate that the updated file is there

Note that the client by default checks in every 60 seconds (phoneHomeInterval on client), so it may take up to a minute before you see the change.

Re: Configuring Forwarders with Deployment server

somesoni2 — Tue, 29 Sep 2020 15:44:45 GMT

Assuming you want to add more log monitoring on an existing client of your deployment server, so you need to do these:
1) (recommended) Create deployment app which will have event parsing configuration for your new data and will be deployed to Indexers. Say it's call someDescHere_indexer_parsing
https://docs.splunk.com/Documentation/Splunk/6.6.3/Updating/Createdeploymentapps
2) Create deployment app which will have monitoring configuration (inputs.conf) and will be deployed to deployment clients/forwarder. say it's called someDescHere_inputs.
3) (if following step1) Deploy *_indexer_parsing app to indexers and restart them
https://docs.splunk.com/Documentation/Splunk/6.6.3/Updating/Updateconfigurations
4) Deploy *_inptus app to deployment client/forwarder.
https://docs.splunk.com/Documentation/Splunk/6.6.3/Updating/Updateconfigurations

Re: Configuring Forwarders with Deployment server

johnblakley — Tue, 29 Sep 2020 15:45:00 GMT

I created an inputs.conf file under the send_to_indexer app, and restarted the deployment server this morning. I was expecting it to overwrite the /etc/system/local/inputs.conf, but it put it in /etc/apps/Send_To_indexer/local instead. How can I have the forwarder use this inputs file instead of the local /etc/system/local one?

I just changed the inputs.conf file again, and the changes are definitely being made...

Re: Configuring Forwarders with Deployment server

ddrillic — Mon, 18 Sep 2017 02:49:18 GMT

@johnblakley, the $SPLUNK_HOME/etc/system/local/inputs.conf file should only have the host name, something like -

[default]
host = <hostname>

All the rest should come from $SPLUNK_HOME/etc/apps/Send_To_indexer/local/inputs.conf.

Re: Configuring Forwarders with Deployment server

johnblakley — Mon, 18 Sep 2017 13:55:15 GMT

I came in this morning, and it was sending the correct logs. Thanks!