Deployment Architecture

Deployment Server listening - but not responding.

cvweiss
Explorer

I've been attempting to setup a Splunk deployment server. I have receiving enabled on port 28090, I can telnet from forwarder machine to the splunk machine on that port, however, the forwarder just keeps putting out these error messages:

05-24-2011 10:39:19.919 -0400 WARN  DeploymentClient - Unable to send handshake message to deployment server. Error status is: not_connected

After reading some of the other similar questions here, I've attempted enabling and disabling SSL, which didn't help. If I turn off the listener on the deployment server, the following error occurs on the forwarder:

05-24-2011 10:41:20.633 -0400 WARN  TcpOutputFd - Connect to 10.8.16.229:28090 failed. Connection refused
05-24-2011 10:41:20.633 -0400 ERROR TcpOutputFd - Connection to host=10.8.16.229:28090 failed

So there definitely appears to be some communication happening. Also, when checking to see if deployment clients are connected:

# ./splunk list deploy-clients
No deployment clients have contacted this server.

Running 'netstat | grep 28090' definitely shows the clients are connected.

What step(s) am I missing here?

Tags (1)

gsawyer1
Engager

"Also, make sure you've only got one splunk instance installed". Does that mean you can't have the Universal Forwarder installed on a Splunk indexer? That would be two instances....what if you are trying to send the Indexer's logs to other indexers, for redundancy?

0 Karma

gsawyer1
Engager

"what if you are trying to send the Indexer's logs to other indexers, for redundancy?" That's our need; we send our logs to more than one indexer. What other method do you suggest, especially when dealing with Windows Event logs.

0 Karma

christopher_hod
Path Finder

There's no need to install a separate UF on an indexer. While you could, it's probably not what you really want and will probably wind up confusing things.

I was more concerned about the confusing part for this debugging exercise.

0 Karma

christopher_hod
Path Finder

I had the same thing and realized I had managed to move the deploymentServer app out of the way (which holds my serverclass.conf). So make sure you have one of those under $SPLUNK/etc/apps somewhere.

Also, make sure you've only got one splunk instance installed.

0 Karma

rbaier
Engager

Same here. I have the forwarder tested and working on two development servers using the most basic configuration possible (deployment server and receiving indexer are the same, skip certificate information, etc). I went through the exact same setup/configuration process on a production server. I'm not seeing that any logs are being shipped and I see the same "DeploymentClient - Unable to send handshake message to deployment server. Error status is: not_connected" error repeatedly in splunkd.log.

Any suggestions? I'm not even sure how to debug.

cyberbob
Engager

I have the same issue and error. Have restarted forwarder and listener. Any suggestions ?

0 Karma

ziegfried
Influencer

did you restart you deployment server after enabling deployment services?

0 Karma

bwooden
Splunk Employee
Splunk Employee

You will not need to enable receiving specifically for the deployment server. That feature is to allow forwarders to send their data to the indexer.

On the deployment server, you will need to have a serverclass.conf that defines classes and assigns apps to those classes.

On the deployment client, you will need to have a deploymentclient.conf that contacts the deployment server on its splunkd port (8089 by default).

The below configuration would allow the deployment client to pull the application testApp from the deployment server's $SPLUNK_HOME/etc/deployment-apps/testApp to its $SPLUNK_HOME/etc/apps/testApp

serverclass.conf sample:

[global]

[serverClass:testClass]
whitelist.0 = *
[serverClass:testClass:app:testApp]

deploymentclient.conf sample:

[deployment-client]

[target-broker:deploymentServer]
targetUri= 192.168.0.100:8089

cvweiss
Explorer

Even using the most basic configuration I'm still getting the same not_connected error. I'm at a loss here.

bwooden
Splunk Employee
Splunk Employee

A Splunk server may have several roles. You can host your deployment server on your indexer and the two won't interfere with each other. Your indexer can even be a client of its deployment server. "I'm not only the Hair Club president, I'm also a client"

0 Karma

cvweiss
Explorer

The deployment server is the indexer (for now). Would this have any affect?

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...