topic Re: How do I configure the Deployment Server to have a Universal Forwarder send logs to a specific index? in Getting Data In

How do I configure the Deployment Server to have a Universal Forwarder send logs to a specific index?

nmensah — Tue, 15 Nov 2016 18:12:44 GMT

Hello everyone,

I have in theory a very simple question. Hopefully this is as simple as I think it is. I have a deployment server and a Universal Forwarder (UF). I also have an indexer and search head. My question is, how do I configure my deployment server to have the UF forward all logs to a certain index? I have the server class and "apps" folder set up but do I drop a config file in there or what? I can't find any good documentation. Thank you so much!

Re: How do I configure the Deployment Server to have a Universal Forwarder send logs to a specific index?

hgrow — Tue, 29 Sep 2020 11:49:11 GMT

Hi nmensah,

do you want configure to wich indexer (Server) the UF sends logs to or do you want the specifiy in wich index all logs are going?
The index your data goes in is already definied by the input itself (inputs.conf).
To manage the "send to an indexer" configuration read below:

http://docs.splunk.com/Documentation/Forwarder/6.5.0/Forwarder/HowtoforwarddatatoSplunkEnterprise covers most points.

Basicly you will deploy an app "send_to_my_indexer" via deployment server to your forwarder wich tells your UF to send logs to your indexer:

Configure UF to be managed by your deployment server
Set up the "send_to_my_indexer" on your deplyoment server
deploy and your are good to go

1) Should cover everything http://docs.splunk.com/Documentation/Splunk/6.5.0/Updating/Configuredeploymentclients
2) To send all your data form your UF to your index a outputs.conf must be deployed:

[tcpout]
disabled = false
defaultGroup=yourIndexerGroup

[tcpout:yourIndexerGroup]
server=IndexerAdress:ReceivingPort

So just all you need is an app "send_to_my_indexer" under SPLUNK_HOME/etc/deployment-apps wich cointains the outputs.conf file.

3) If not already covered by the link above http://docs.splunk.com/Documentation/Splunk/6.5.0/Updating/Updateconfigurations might help

Greetings hgrow

Re: How do I configure the Deployment Server to have a Universal Forwarder send logs to a specific index?

gcusello — Wed, 16 Nov 2016 12:14:18 GMT

Hi nmensah,
Splunk's Best Practices suggest to build a Technology Add-On (TA), called for example TA_Forwarders, in which put only outputs.conf and deploy it to all you forwarders.
In this TA you insert an outputs.conf file with all the information mandatory to send logs to indexers:

[tcpout]
defaultGroup = autolb

[tcpout:autolb]
server = xx.xx.xx.xx:9997, yy.yy.yy.yy:9997
disabled = false

[tcpout-server://xx.xx.xx.xx:9997]

[[tcpout-server://yy.yy.yy.yy:9997]

if you want to use SSL, you have to insert also

sslCertPath = $SPLUNK_HOME/etc/auth/server.pem
sslPassword = xxxxxxxxxxxxxxxxxxxxx
sslRootCAPath = $SPLUNK_HOME/etc/auth/cacert.pem
sslVerifyServerCert = false
useACK=true

So steps to do this are:

create your TA_Forwarders modifying outputs.conf;
copy it on your Deployment server ($SPLUNK_HOME/etc/deployment-apps);
deploy;
if you already have an outputs.conf in your Forwarder, delete (or rename) it;
restart Splunk.

Bye.
Giuseppe

Re: How do I configure the Deployment Server to have a Universal Forwarder send logs to a specific index?

nmensah — Wed, 16 Nov 2016 19:24:14 GMT

Thank you everyone very much for the help. This worked great. One issue though. When configure the deployment server app and the forwarder receives the configurations, how long does it take for the configuration to go into effect on the forwarder? Do I need to manually restart the forwarder every time?

Re: How do I configure the Deployment Server to have a Universal Forwarder send logs to a specific index?

hgrow — Thu, 17 Nov 2016 09:29:42 GMT

Hi nmensah,

good news, you dont have to restart the forwarder every time manually! If the UF sees a diff with the installed version of an app or a new app exists on the DS the UF downloads the app and restart automatically. All you need to do is splunk reload deploy-server

http://docs.splunk.com/Documentation/Splunk/6.3.1/Updating/Updateconfigurations#Redeploy_an_app_after_you_change_its_content

Redeploy an app after you change its content
When you update the content of an app, you must reload the deployment server in order for the deployment server to redeploy the app.
Note: If you are using forwarder management, you must also manually reload the deployment server if you want to redeploy the app immediately. However, if do not manually reload the deployment server, the app will still get redeployed once you make any subsequent configuration changes in forwarder management.
To redeploy an app with updated content:
1. Update the content in the relevant deployment app directory on the deployment server.
2. Reload the deployment server to make the deployment server aware of the changed content.
The deployment server then redeploys the app to all clients that it's mapped to.
1. Update the content
The topic "Create deployment apps" described how to create app directories on the deployment server. You can add or overwrite the content in those directories at any time.
2. Reload the deployment server
After you edit the content of an app, you must reload the deployment server so that the deployment server learns of the changed app. It then redeploys the app to the mapped set of clients.
To reload the deployment server, use the CLI reload deploy-server command:
splunk reload deploy-server
The command checks all apps for changes and notifies the relevant clients.

Greetings

Re: How do I configure the Deployment Server to have a Universal Forwarder send logs to a specific index?

nmensah — Fri, 18 Nov 2016 16:56:29 GMT

Thank you everyone! It worked out perfectly! I used this document to create the app that would allow the deployment server to tell the Forwarder which data to collect and which index to send it to: http://docs.splunk.com/Documentation/Splunk/6.5.0/Updating/Extendedexampledeployseveralstandardforwarders