Deployment Architecture

edit server.conf on multiple servers

vpantangi
Explorer

I want to edit server.conf for around 600 servers, is there anyway we can edit them all at a time.

Tags (1)
0 Karma

koshyk
Super Champion

First of All, you have got large environment as per the information of 600 servers. You should NEVER use $SPLUNK_HOME/etc/system/ location for these kind of activities. Always modularise your apps/configs

Planning your environment is the MOST important thing to administer your splunk environment.

So the best case for you is
1. Create an app as per your org's naming standard (eg MY_PROD_server_configs)
2. Create "local" directory within it and then "server.conf" within it . Finally it would look like MY_PROD_server_configs/local/server.conf
3. Ensure you have ONLY the "required" stanza in your apps server.conf and push it via your deployment server which manages your Universal forwarders/agents
4. It is advised to have a seprate serverclass app (eg MY_PROD_managed_servers_serverclass/local/serverclass.conf) to modularise what you want to push and which servers you want to push to etc.

Once pushed, you can control everything centrally via deployment server and future updates etc.

vpantangi
Explorer

We had a vulnerability scan and we got some vulnerabilities and we would like to clear them, in order to clear that we would like add couple of stanzas to the server.conf.

0 Karma

vsai0718
Path Finder

What are these servers, if those are forwarders maybe with deployment server or by making a ansible playbook to change what ever you're trying to change.

If it is the same thing you're trying to change and the servers are forwarders talking to deployment server then it is easy to do it by deployment server. Or else ansible playbook will be the best way

0 Karma

vpantangi
Explorer

These are regular windows servers, they are not connecting to deployment server but the problem is they if we push something on deployment server they will get changed in apps/local but i want to change in system/local/server.conf

0 Karma

nickhills
Ultra Champion

What is the rationale behind wanting to make the change in system/local and not via a deployment app?

The deployment server is the supported (and easy) way to push changes to large numbers of forwarders - making changes to system/local goes against best practices.

What is your use case?

If my comment helps, please give it a thumbs up!

vpantangi
Explorer

We did it using deployment server. Thank you.

0 Karma

vsai0718
Path Finder

Then ansible-playbook would be a good idea, if the change is static among all the servers

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...