topic Re: How to repoint the UF to the newly added forwarder in Deployment Architecture

How to repoint the UF to the newly added forwarder?

Rakzskull — Thu, 20 Apr 2023 16:38:19 GMT

Hi Guys,

I deployed a new heavy forwarder in our environment, however I'd want to repoint certain devices to the freshly deployed forwarder. I tried updating the ip in the local/deploymentclient.conf, but I'm still getting the old HF information in logs.

Could you demonstrate to me how to do so?

Re: How to repoint the UF to the newly added forwarder

scelikok — Thu, 20 Apr 2023 07:49:06 GMT

Hi @Rakzskull,

You must update outputs.conf in your UF to send logs to new HF.

Editing deploymentclient.conf only changes the deployment server address. If you are using deployment server to manage UF's you should update related deployment app outputs.conf configuration.

Re: How to repoint the UF to the newly added forwarder

isoutamo — Thu, 20 Apr 2023 07:53:44 GMT

I suppose that you have own (probably several) app for UF base configuration? Just copy it and change its outputs.conf to point that IHF to send events there. Then switch that app to correct UFs on DS side.

Re: How to repoint the UF to the newly added forwarder

gcusello — Thu, 20 Apr 2023 08:15:53 GMT

Hi @Rakzskull,

as @scelikok and @isoutamo hinted you have to update both deploymentclient.conf and outputs.conf.

My hint is to create a new add-on (called e.g. TA_Forwarders), containing at least three files:

apps.conf: describing the add-on,
outputs.conf: addressing the HFs or the Indexers to send data,
deploymentclient.conf: addressing the Deployment Server.

in this way you can centrally manage your Universal Forwarders without locally intervene on the machines.

Ciao.

Giuseppe

Re: How to repoint the UF to the newly added forwarder

Rakzskull — Thu, 20 Apr 2023 09:21:59 GMT

The local config directory of the UF’s does not contain outputs.conf file. I can only see below files in opt/splunk/etc/system/local

deploymentclient.conf

inputs.conf

migration.conf

server.conf

Re: How to repoint the UF to the newly added forwarder

isoutamo — Thu, 20 Apr 2023 09:29:22 GMT

Probably you have some apps installed on your UF. Those should be on /opt/splunkforwarder/etc/apps directory. The easiest way to look what you have on outputs.conf and where is use command

<PATH TO YOUR SPLUNK UF HOME>/bin/splunk btool outputs list --debug

That shows all attributes with values and where those are defined.

Is your conf from IHF instead of UF (based on path /opt/splunk instead of /opt/splunkforwarder)?

Anyhow as @gcusello said you should have own app for UF (I prefer several based on needs on your environment) base configurations. On that app you have configurations for where to send events (outputs.conf). Then this can contains also DS configurations or that can be on separate app, it's depending on your environment and needs.

Re: How to repoint the UF to the newly added forwarder

Rakzskull — Thu, 20 Apr 2023 15:05:46 GMT

One more thing: just out of curiosity, I changed the output.conf file with the new HF IP.

Is it necessary to also change the same HF IP in the deploymentclient.conf ?

Re: How to repoint the UF to the newly added forwarder

isoutamo — Thu, 20 Apr 2023 15:12:45 GMT

No, DS is just for deploy those configurations to UF. Outputs.conf define where UF will send events. Those are different hosts in almost all not single node environments.

Re: How to repoint the UF to the newly added forwarder

gcusello — Fri, 21 Apr 2023 07:09:58 GMT

Hi @Rakzskull,

no as me and @isoutamo said in deploymentclient.conf there's the address of the Deployment Server, the server with the role to manage forwarders, instead in outputs.conf there's the address of Indexers or Heavy Forwarders that muste receive logs from the UF.

They can be the same server in labs or little infrastructure, nevere in medium or big deployments, because in this case both Indexers and Deployment Server must be in dedicated servers, so they have diferent IPs.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉