Deployment Architecture

Deployment Server listening - but not responding.

cvweiss
Explorer

I've been attempting to setup a Splunk deployment server. I have receiving enabled on port 28090, I can telnet from forwarder machine to the splunk machine on that port, however, the forwarder just keeps putting out these error messages:

05-24-2011 10:39:19.919 -0400 WARN  DeploymentClient - Unable to send handshake message to deployment server. Error status is: not_connected

After reading some of the other similar questions here, I've attempted enabling and disabling SSL, which didn't help. If I turn off the listener on the deployment server, the following error occurs on the forwarder:

05-24-2011 10:41:20.633 -0400 WARN  TcpOutputFd - Connect to 10.8.16.229:28090 failed. Connection refused
05-24-2011 10:41:20.633 -0400 ERROR TcpOutputFd - Connection to host=10.8.16.229:28090 failed

So there definitely appears to be some communication happening. Also, when checking to see if deployment clients are connected:

# ./splunk list deploy-clients
No deployment clients have contacted this server.

Running 'netstat | grep 28090' definitely shows the clients are connected.

What step(s) am I missing here?

Tags (1)

gsawyer1
Engager

"Also, make sure you've only got one splunk instance installed". Does that mean you can't have the Universal Forwarder installed on a Splunk indexer? That would be two instances....what if you are trying to send the Indexer's logs to other indexers, for redundancy?

0 Karma

gsawyer1
Engager

"what if you are trying to send the Indexer's logs to other indexers, for redundancy?" That's our need; we send our logs to more than one indexer. What other method do you suggest, especially when dealing with Windows Event logs.

0 Karma

christopher_hod
Path Finder

There's no need to install a separate UF on an indexer. While you could, it's probably not what you really want and will probably wind up confusing things.

I was more concerned about the confusing part for this debugging exercise.

0 Karma

christopher_hod
Path Finder

I had the same thing and realized I had managed to move the deploymentServer app out of the way (which holds my serverclass.conf). So make sure you have one of those under $SPLUNK/etc/apps somewhere.

Also, make sure you've only got one splunk instance installed.

0 Karma

rbaier
Engager

Same here. I have the forwarder tested and working on two development servers using the most basic configuration possible (deployment server and receiving indexer are the same, skip certificate information, etc). I went through the exact same setup/configuration process on a production server. I'm not seeing that any logs are being shipped and I see the same "DeploymentClient - Unable to send handshake message to deployment server. Error status is: not_connected" error repeatedly in splunkd.log.

Any suggestions? I'm not even sure how to debug.

cyberbob
Engager

I have the same issue and error. Have restarted forwarder and listener. Any suggestions ?

0 Karma

ziegfried
Influencer

did you restart you deployment server after enabling deployment services?

0 Karma

bwooden
Splunk Employee
Splunk Employee

You will not need to enable receiving specifically for the deployment server. That feature is to allow forwarders to send their data to the indexer.

On the deployment server, you will need to have a serverclass.conf that defines classes and assigns apps to those classes.

On the deployment client, you will need to have a deploymentclient.conf that contacts the deployment server on its splunkd port (8089 by default).

The below configuration would allow the deployment client to pull the application testApp from the deployment server's $SPLUNK_HOME/etc/deployment-apps/testApp to its $SPLUNK_HOME/etc/apps/testApp

serverclass.conf sample:

[global]

[serverClass:testClass]
whitelist.0 = *
[serverClass:testClass:app:testApp]

deploymentclient.conf sample:

[deployment-client]

[target-broker:deploymentServer]
targetUri= 192.168.0.100:8089

cvweiss
Explorer

Even using the most basic configuration I'm still getting the same not_connected error. I'm at a loss here.

bwooden
Splunk Employee
Splunk Employee

A Splunk server may have several roles. You can host your deployment server on your indexer and the two won't interfere with each other. Your indexer can even be a client of its deployment server. "I'm not only the Hair Club president, I'm also a client"

0 Karma

cvweiss
Explorer

The deployment server is the indexer (for now). Would this have any affect?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...