Security

Deployment server to deploy specific serverclass to a client excluding whitelist *

Mag2sub
Path Finder

How do we make a deployment client with specific client name and serverclass designated not honor "*" whitelist designated for another serverclass

ie this client needs to download only the serverclass designated with its client name in whitelist and ignore all other serverclass with whitelist *

Tags (2)
0 Karma

Mag2sub
Path Finder

[global]
stateOnClient = enabled
filterType = whitelist
continueMatching = true

[serverClass:class1]
continueMatching = false
whitelist.0=clientname

[serverClass:class1:app:app1]

[serverClass:class 2]
continueMatching = true
blacklist.0=clientname
whitelist.0=*

[serverClass:class2:app:app2]
[serverClass:class2:app:app3]

0 Karma

BenoSplunk
New Member

I downvoted this post because what good is "continuematching = false" in class1 if you have to define blacklist in class2 ???

the whole point of using "continuematching = false" is so that i don't have to go into every single subsequent serverclass and add blacklist.

0 Karma

ShaneNewman
Motivator

That is what I was going to suggest.

0 Karma

Mag2sub
Path Finder

I had to add a explicit blacklist for the specific clientname in the serverclass having whitelist.0=*..for this to work the nearest i want..

Mag2sub
Path Finder

I did not work without the blacklist statement ..are you saying the apps for whitelist=* were not deployed to specific client name ? which had continuematching =False..i found all apps were deployed to clientname including both server class...i wanted only class1 apps on clientname and not class2 apps..

0 Karma

emiller42
Motivator

can you post your final serverclass.conf? I tested the format I gave you locally, and it worked as expected.

0 Karma

Mag2sub
Path Finder

I had to add a explicit blacklist for the specific clientname in the serverclass having whitelist.0=*..for this to work the nearest i want..

0 Karma

emiller42
Motivator

Include the following line in your stanza:

continueMatching = false

And then make sure all other stanzas with whitelist=* come after that stanza in your conf file.

Details can be found in the documentation

EDIT FOR CLARITY:

Your stanzas should look like the following:

[serverClass:specificHost]
continueMatching = false
whitelist.0 = specificHost

[serverClass:specificHost:app:foo]

[serverClass:broad]
whitelist.0 = *

[serverClass:broad:app:bar]

Note that the app stanzas are separate stanzas from the serverClass stanzas. So you can't put the whitelist under them.

Mag2sub
Path Finder
  • is not appearing in whitelist=* when i edit online
0 Karma

Mag2sub
Path Finder

i dont see a consistent deployment ...does whitelist=clientname exclude whitelist=* ?
As i see serverclass with whitelist=*
also being deployed to serverclass having specific clientnames and continuematch=false

0 Karma

Mag2sub
Path Finder

I have deleted the erroneous post /config as that was my last config and i had the config as you have stated before

Also checked
ndex=_internal source=*splunkd.log (component=application OR component=serverclass) warn OR error on the deployment server serach app and did not find any eror

0 Karma

Mag2sub
Path Finder

agreed ..that was my first config...ie whitelist in serverclass and not app...it did nto work ,,thats when i went superfluous

0 Karma

emiller42
Motivator

The problem is where your whitelist= lines live. Those are only valid in global or serverClass stanzas, not in app stanzas. (Which is where you have them) Your stanzas should look like the following:

[global]
stateOnClient = enabled
filterType = whitelist
continueMatching = true

[serverClass:serverclass1]
continueMatching = false
whitelist.0=matchingclient

[serverClass:serverclass1:app:app1]

[serverClass:serverclass2]
continueMatching = true
whitelist.0=*

[serverClass:serverclass2:app:app2]
0 Karma

Mag2sub
Path Finder

typo in whitelist * ..i just posted the most superfluous version above ...the whitelist was at serverclass before this and since default stance for continuematching was true had only the config as you said before

0 Karma

emiller42
Motivator

So if you have something like:

[serverClass:clientSpecific]
whitelist.0=matchingclient
continueMatching=false
[serverClass:clientSpecific:app:bar]

[serverClass:general]
whitelist.0=*
[serverClass:general:app:bar]

then the general class no longer matches and the apps are uninstalled?

0 Karma

Mag2sub
Path Finder

Ok..i have 2 separate serverclass and found when i mention specific clientname whitelist on top of serverclass and continue matching =false in that serverclass:app stanza...it just ignored the rest of serverclass below it ..and all apps deployed with * were undeployed suddenly... and cant see the specific client name app also deployed..i do see the specific bundles in ~splunk/var/tmp...however i had moved one specific app from a serverclass with * whitelist to a new server class that was on the top with specific clientname and continuematching=false

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...