Deployment Architecture

Changing deploymentclient.conf via deployment server

Runals
Motivator

I've looked for a while on how to adjust the deploymentclient.conf via the deployment server but haven't turned up any answers. Creating an app with a new deploymentclient.conf doesn't seem to be doing the trick. Any advice?

Tags (1)
0 Karma
1 Solution

dmaislin_splunk
Splunk Employee
Splunk Employee

If you go to the forwarder and get rid of the other deploymentclient.conf that is most likely in etc/system/local or some other local directory and restart the forwarder then it will work. This is a known issue. Since apps are deployed to the forwarders etc/apps directory by default and system/local/deploymentclient.conf is not in that directory it can't be automagically removed.

View solution in original post

0 Karma

anwarmian
Communicator

One thing to keep in mind is that for a Splunk Forwarder .../etc/system/local takes precedence over /etc/apps directory.  So a deploymentclient.conf residing in /etc/system/local will take precedence over deploymentclient.conf in /etc/apps directory.  It is not a best practice to make a deploymentclient.conf app available from Deployment Server for the forwarders to download since it will be downloaded to /etc/apps directory.

0 Karma

gbower333
Path Finder

Just came across this old post but still dealing with the question.
You can deploy a script (scripted input) to change the target Deployment Server in system/local/deploymentclient.conf. I ran into a restart cycle putting the restart in the script directly (test, test, test again). To work around that I deploy one app to make the change, wait, verify, deploy a second app that only has the restartSplunkd = 1 setting and not doing anything else.
Now I just need a script for my UFs on Windows machines (yay).

0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee

If you go to the forwarder and get rid of the other deploymentclient.conf that is most likely in etc/system/local or some other local directory and restart the forwarder then it will work. This is a known issue. Since apps are deployed to the forwarders etc/apps directory by default and system/local/deploymentclient.conf is not in that directory it can't be automagically removed.

0 Karma

Runals
Motivator

I see what you are saying now. Thanks.

0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee

You can create custom installers with this file already in place.

http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Makeadfpartofasystemimage

0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee

If you remove the system/local/deploymentclient.conf and restart the 30 forwarders they will pick up the new configuration since you deployed the new deploymentclient.conf as an app within the deployment server.

The issue is order of precedence. Since the deploymentclient.conf is sitting in system/local and as an app, system/local wins over the app/local. It may be a hassle now, but if you confirm that the new app with deploymentclient.conf is deployed to each forwarder and you spend some time just removing the system/local/deploymentclient.conf and restart, the issue will go away.

Runals
Motivator

Both OS in a very distributed environment (matrixed responsibility vs geographical). I have 30 forwarders bringing in data now to what is our test/dev system. I need to adjust the phone home interval now and in the next several weeks adjust the targetUri. You are telling me I can't use the deployment server to accomplish this?

I'm also thrown off a bit by your comment of creating a local .conf file for each forwarder as part of a PS deployment as a way to avoid this issue.

0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee

Sorry, perhaps it was just overlooked. When we first setup a forwarder, we typically create a deploymentclient.conf local to each forwarder as part of our professional services deployments to avoid this specific issue from creeping up. I am sorry that you are running into it now. Are these Windows or Unix Forwarders?

0 Karma

Runals
Motivator

If this is a known issue then I'm surprised that wasn't called out during Genti's Deployment Server Best Practices preso at .conf12. He devotes 2 slides to this very thing. The crux of the issue is that I cannot touch each forwarder.

0 Karma
Get Updates on the Splunk Community!

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...

Enterprise Security Content Update (ESCU) | New Releases

In October, the Splunk Threat Research Team had one release of new security content via the Enterprise ...