Deployment Architecture

Deployment Server, Forwarder Management - editing client names, what is the best name to use when adding a client to a server class?

packet_hunter
Contributor

When I add clients to the deployment server - server class tab
for example

Server Class > windows_wkstns > edit > edit clients
include(whitelist)

I get the following options:

Can be client name, host name, IP address, or DNS name

Is it advisable to add only one name or host name, DNS name, and client name?

Will adding all 3 vs just 1 result in more comprehensive / complete log collection?

Also how do you delete a client from the include list when you only have 1 client listed? I am testing different endpoints one at a time right now.

Thank you

0 Karma
1 Solution

gjanders
SplunkTrust
SplunkTrust

As per the serverclass.conf documentation the attribute applies to:

* The value of this attribute is matched against several things in order:
    * Any clientName specified by the client in its deploymentclient.conf file
    * The IP address of the connected client
    * The hostname of the connected client, as provided by reverse DNS lookup
    * The hostname of the client, as provided by the client
    * For Splunk version > 6.4, the instanceId of the client. This is a GUID
      string, e.g. 'ffe9fe01-a4fb-425e-9f63-56cc274d7f8b'.

Therefore you want to match one, often DNS is the most logical match, in other cases (for example docker instances that are specifying a clientName specifically) then the clientName might be the most appropriate match.
You don't need to attempt to match both DNS & IP address for example.

Also how do you delete a client from
the include list when you only have 1
client listed? I am testing different
endpoints one at a time right now.

I would comment out that particular stanza if you have a whitelist of zero clients to prevent confusion, otherwise I believe it will attempt to use the whitelist under [global].
Try :

splunk btool serverclass list --debug

And see what the global settings are, or test this and comment here :).
You might also want to run splunk btool check when no whitelist is specified to confirm it will work as expected.

View solution in original post

0 Karma

gjanders
SplunkTrust
SplunkTrust

As per the serverclass.conf documentation the attribute applies to:

* The value of this attribute is matched against several things in order:
    * Any clientName specified by the client in its deploymentclient.conf file
    * The IP address of the connected client
    * The hostname of the connected client, as provided by reverse DNS lookup
    * The hostname of the client, as provided by the client
    * For Splunk version > 6.4, the instanceId of the client. This is a GUID
      string, e.g. 'ffe9fe01-a4fb-425e-9f63-56cc274d7f8b'.

Therefore you want to match one, often DNS is the most logical match, in other cases (for example docker instances that are specifying a clientName specifically) then the clientName might be the most appropriate match.
You don't need to attempt to match both DNS & IP address for example.

Also how do you delete a client from
the include list when you only have 1
client listed? I am testing different
endpoints one at a time right now.

I would comment out that particular stanza if you have a whitelist of zero clients to prevent confusion, otherwise I believe it will attempt to use the whitelist under [global].
Try :

splunk btool serverclass list --debug

And see what the global settings are, or test this and comment here :).
You might also want to run splunk btool check when no whitelist is specified to confirm it will work as expected.

0 Karma

packet_hunter
Contributor

So just to be certain, its best to use only one name but pick the name that best suits the desired events?

Regarding my second question, I was using the GUI only and when I removed the only client and tried to save it warned that a whitelist entry was needed. But I will use your method as stated.

0 Karma

gjanders
SplunkTrust
SplunkTrust

Yes, in my environment DNS names/server names are unique for non-docker instances so that's what we use 90% of the time.

For docker we have the client name set in the deploymentclient.conf file to make it easier to determine what the purpose of the docker container is.

instanceId I've rarely used but it might make sense in some circumstances....

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...