https://community.splunk.com/t5/Getting-Data-In/Output-and-deployment-client-configs-constantly-overwritten/m-p/569749#M101015 <P>Nope, I don't have anything like that.&nbsp;</P> Tue, 05 Oct 2021 17:57:37 GMT whar_garbl 2021-10-05T17:57:37Z https://community.splunk.com/t5/Getting-Data-In/Output-and-deployment-client-configs-constantly-overwritten/m-p/569714#M101011 <P>I have a single-instance Splunk setup with a handful of Universal Forwarders sending in data. There was previously a different architecture on this network, but this is a new build from the ground up - everything is new builds and fresh installs (all version 8.2.2.1; server is RHEL 8; clients are Windows 10).&nbsp;</P><P>My UFs are installed with command line options to set the forwarding server and deployer (the same place). However, periodically, the clients' outputs.conf and deploymentclient.conf are being overwritten, and I cannot for the life of me figure out why. The settings being pushed in are for the old architecture, none of which remains on the network. Also, notably, it seems to only be the Windows UFs that are getting their settings overwritten - my *nix boxes do not appear to be affected as of now.&nbsp;</P><P>I have attached a ProcMon to monitor the file edits. The changes are coming from splunkd.exe via the REST API:&nbsp;</P><LI-CODE lang="markup">C:\Program Files\SplunkUniversalForwarder\bin\splunkd rest --noauth POST /services/data/outputs/tcp/server/ name=wrong_server.domain.com:9997</LI-CODE><LI-CODE lang="markup">C:\Program Files\SplunkUniversalForwarder\bin\splunkd rest --noauth POST /services/admin/deploymentclient/deployment-client/ targetUri=wrong_deployer.domain.com:8089</LI-CODE><P>I haven't yet found a way to manually elicit this change, and the update interval seems to vary from just a few minutes to every couple of hours. I've scoured my Group Policy and have not found any relevant settings there.&nbsp;</P><P>I'm stumped. Does anyone have any ideas as to what may be doing this?</P> Tue, 05 Oct 2021 15:20:17 GMT https://community.splunk.com/t5/Getting-Data-In/Output-and-deployment-client-configs-constantly-overwritten/m-p/569714#M101011 whar_garbl 2021-10-05T15:20:17Z https://community.splunk.com/t5/Getting-Data-In/Output-and-deployment-client-configs-constantly-overwritten/m-p/569747#M101014 <P>You've ruled out GPO.&nbsp; Does your company have another management utility, like BigFix, Puppet, or Ansible?</P> Tue, 05 Oct 2021 17:54:04 GMT https://community.splunk.com/t5/Getting-Data-In/Output-and-deployment-client-configs-constantly-overwritten/m-p/569747#M101014 richgalloway 2021-10-05T17:54:04Z https://community.splunk.com/t5/Getting-Data-In/Output-and-deployment-client-configs-constantly-overwritten/m-p/569749#M101015 <P>Nope, I don't have anything like that.&nbsp;</P> Tue, 05 Oct 2021 17:57:37 GMT https://community.splunk.com/t5/Getting-Data-In/Output-and-deployment-client-configs-constantly-overwritten/m-p/569749#M101015 whar_garbl 2021-10-05T17:57:37Z https://community.splunk.com/t5/Getting-Data-In/Output-and-deployment-client-configs-constantly-overwritten/m-p/569764#M101019 <P>I figured it out.</P><P>Someone had set a compliance baseline in SCCM to check and overwrite the conf files if they didn't match a specified value. Somehow that had been lingering for a couple of years without being disabled. Oops.</P> Tue, 05 Oct 2021 18:46:21 GMT https://community.splunk.com/t5/Getting-Data-In/Output-and-deployment-client-configs-constantly-overwritten/m-p/569764#M101019 whar_garbl 2021-10-05T18:46:21Z