- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Deployment Server Questions
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Deployment Server Questions
I am setting up a separate deployment server for all of my universal forwarders to get their configs from and I have a question or three.
- It appears that the deployment server is designed to push out app configs and not system\local configs. How does one go about pushing out input.conf and output.conf to the forwarders.
- If you can push input.conf to the forwarders how would you handle the "host=xxxxxxx" line in the different forwarders?
- Can the Deployment server update the universal forwarder software on the clients or just the configs?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Create an app for all systems that will be getting their configurations from the Deployment server and put the outputs.conf file in the apps local directory. Example: CORP_APP/local/outputs.conf. You're outputs.conf file will need to have the configuration correct to where it is sending the data to. For the inputs.conf use the same method as you did for your outputs. Example: if you are looking for web logs on an apache server then CORP_APACHE/local/inputs.conf and set up your settings there. You can then apply the CORP_APACHE app to the apache servers in your environment.
- The host is set up on the forwarder when it is installed. If this system is a syslog server and you have properly set up your syslog server to log each host differently then you can use the different techniques for the host name location in the file location. There is plenty of documentation on this.
- At this time there is no official way to update the UF from the Deployment server. This does not mean that you can not set up an app that has a script in it to check a version and if different run an upgrade, this is basically the same as a scripted install with a little more to check the version.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It doesn't need to be in system/local to be a config. Splunk silently merges all of the configuration data into a master version of the config at runtime. It seeds with system/default, collates application defaults, then application overrides (from local/), then finally system/local.
To push inputs.conf and outputs.conf to the forwarders, simply include them in an application directory that you serve up via deployment server.
You can't write to system/local via deployment server, so the inputs.conf with host=xxxxxxx in that forwarder's system/local will still be present, and "trump" any other settings to end up in the working version of inputs.conf. In other words, "don't worry about setting host".
Deployment server can only update the configs.
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
