Would anyone have advice on the following?
I am deploying the splunk Universal forwarder in a mixed windows environment. I have some IIS servers, some 2003 servers, some 2008 servers, and a few other applications as well.
When configuring deployment apps to be sent to the universal forwarder on these servers, is it best to configure a separate app for each "type" of server. For example,
Would it be best to just deploy one app to all windows servers, including the collection for the IIS log. I'm assuming it will only generate an error that the log cannot be found...
I'm just curious as to how granular a person should get, or if granularizing for this purpose is just management overhead with little benefit.
I would personally recommend creating a "base" deployment application which has a common set of inputs for data you want to collect across the environment. From there you can create specific deployment applications which address inputs on a per server type basis. In the example above the IIS server would get both the
"win_base" input app and the "iis" input app. An exchange server might get the
"win_base" input app and the "exchange" input app.
I would create:
First, whitelist/list all Windows servers into a class for the first app. Then, whitelist all IIS servers for the second app in a different class, and so on for each app.
The inputs will layer on top of each other, so it's fine to have a server whitelist into multiple apps.
This approach allows you to change and manage according to the application or use case, rather than according to sets of servers. This would be a best practice. In general, you should create apps that describe the application or use case, regardless of what server it's on, then map those to the appropriate servers using Deployment Server.
So If I am deploying the splunk for windows app for these servers, and using it's input file, would it be best to just add another input file for the other servers, in a separate app, or copy the splunk for windows app, rename it, and modify it's input file... Thanks...