Solved: Deployment Server : Unable to deploy apps (Splunk ...

koshyk · ‎12-13-2013

Unfortunately, i'm unable to get a forwarder app deployed using deployment Server. Below is what I' ve done till now (Splunk 5.0.2)
- Port Connections Ok
- Able to phone home correctly from forwarder

@Deployment Server

App: /opt/splunk/etc/deployment-apps/UNIX_FWDER
serverclass: /opt/splunk/etc/system/local/serverclass.conf

@Deployment client

Expected Forwarder app location: /opt/splunkforwarder/etc/apps
DeplomentClient Conf: /opt/splunkforwarder/etc/apps/deployclient/local/deploymentclient.conf

As per Splunk Wiki I did lot of debugging. Turned on DEBUG in client & Server. Client log is

12-03-2013 14:47:06.736 +0000 DEBUG DeploymentClient - Phone home recvd reply: <?xml version="1.0" encoding="UTF-8"?>\n<deployResponse restartSplunkd="true" restartSplunkWeb="false" stateOnClient="enabled" repositoryLocation="$SPLUNK_HOME/etc/apps" endpoint="$deploymentServerUri$/services/streams/deployment?name=$tenantName$:$serverClassName$:$appName$">\n  <serverClass name="FWDR1"/>\n</deployResponse>\n

serverclass.conf

[global]
restartSplunkd = true

[serverClass:FWDR1]
whitelist.0=*

So definitely, the Client is identifying the Server class and phoning every 60s. But the apps are NOT copied from "deployment-apps" in Server to "/opt/splunkforwarder/etc/apps" in the client. Anyone Experienced this issue before?

koshyk · ‎12-13-2013

Ok, Found the problem.
This is related to Previous Thread "http://answers.splunk.com/answers/96782/per-app-machinetypesfilter-broken-in-serverclassconf"

I'm not sure it's a bug or NOT.
But I have to add whitelist.0 at every app level !!

Thanks again aholzer for pointing me in right direction.

View solution in original post

koshyk · ‎12-13-2013

Ok, Found the problem.
This is related to Previous Thread "http://answers.splunk.com/answers/96782/per-app-machinetypesfilter-broken-in-serverclassconf"

I'm not sure it's a bug or NOT.
But I have to add whitelist.0 at every app level !!

Thanks again aholzer for pointing me in right direction.

aholzer · ‎12-13-2013

Also after you change your serverclass.conf or make changes to a deployment-apps app, make sure to run $SPLUNK_HOME/bin/splunk reload deploy-server

Otherwise the deployment server will not know about the changes and continue distributing based on the old serverclass.conf and old apps

aholzer · ‎12-13-2013

I'd suggest testing with a single forwarder first. Simply try:
...

[serverClass:FWDR1]
whitelist.0=your_test_forwarder
[serverClass:FWDR1:app:UNIX_FWDER]

Also note, that "UNIX_FWDER" needs to be the name of the folder of your app. ("/opt/splunk/etc/deployment-apps/UNIX_FWDER")

koshyk · ‎12-13-2013

I tried that before .. but a bit more specific..
..
[serverClass:FWDR1:app:UNIX_FWDER]
machineTypesFilter=linux*

But didn't work. So thought to put a simplified filtering

aholzer · ‎12-13-2013

Is that your entire serverclass.conf? If it is that is your problem. You are missing the stanza that defines what app to send to your serverClass. See example:

[global]
restartSplunkd = true

[serverClass:FWDR1]
whitelist.0=*
[serverClass:FWDR1:app:your_app]

This last stanza lets the deployment server know that it should send "your_app" to the serverClass FWDR1, which in your case would send it to everything that is a deploymentclient.

Hope this helps.

Deployment Server : Unable to deploy apps (Splunk 5.0.2)

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!

Enterprise Security Content Update (ESCU) | New Releases