Deployment Architecture

Deployment Server

hectorvp
Communicator

I have Linux box as deployment server and windows servers where UF is hosted.

I'm able to successfully deploy application from deployment server to UF. However, I'm not able to fetch logs in my indexer.

In deployment server configurations are located at -> 

/opt/splunk/etc/deployment-apps/windows_app/default

"windows_database" is app name

In UF(windows) these conf get downloaded at ->

\etc\apps\windows_app\default

But I guess these configuration are not been take into effect to monitor logs,don't know why.

I copied same configuration (inputs.conf & outputs.conf) and pasted in -> \etc\system\local

And was able to fetch every logs as intended. Did I miss out something while trying to implement using deployment server???

Configuration files are :

inputs.conf ->

[default]

[WinEventLog://Security]
disabled = 0
index= main

[WinEventLog://Application]
disabled = 0
index = main

[WinEventLog://System]
disabled = 0
index = main

 

Outputs.conf ->

[tcpout]
defaultGroup=ath_indexers

[tcpout:ath_indexers]
server=18.185.116.9:9997

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @hectorvp,

probably I'm saying something that you already did:

a Technical add-Onn (TA) is structured as all the Splunk apps, at least the following folders:

  • default
  • local
  • metadata

In local or default folder you have to put your files (inputs.conf, props.con, etc...)

TAs must be located on Deployment Server in $SPLUNK_HOME/etc/deployment-apps as folders (not zip or tar or tgz).

Deployment server deployes TAs in $SPLUNK_HOME\apps (in Windows)

Remember, on Deployment Server, to flag "restart ufter updates" option (by default it isn't flagged) otherwise changes aren't activated.

For Windows logs, I hint to use the Splunk TA Windows (https://splunkbase.splunk.com/app/742/)  instead custom inputs, remembering to enable the stanzas you want.

Only one last question: searching for Splunk internal logs did you have results?

Ciao.

Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @hectorvp,

probably I'm saying something that you already did:

a Technical add-Onn (TA) is structured as all the Splunk apps, at least the following folders:

  • default
  • local
  • metadata

In local or default folder you have to put your files (inputs.conf, props.con, etc...)

TAs must be located on Deployment Server in $SPLUNK_HOME/etc/deployment-apps as folders (not zip or tar or tgz).

Deployment server deployes TAs in $SPLUNK_HOME\apps (in Windows)

Remember, on Deployment Server, to flag "restart ufter updates" option (by default it isn't flagged) otherwise changes aren't activated.

For Windows logs, I hint to use the Splunk TA Windows (https://splunkbase.splunk.com/app/742/)  instead custom inputs, remembering to enable the stanzas you want.

Only one last question: searching for Splunk internal logs did you have results?

Ciao.

Giuseppe

0 Karma

hectorvp
Communicator

Nope I didn't received any internal logs when configurations were inside apps.

When I pasted same configurations in etc\system\local....I fetched internal as well as windows event logs as intended.

Point to raise this question was this happened with me twice.May be I missing something.

Thanks for the suggestion to use  app "Splunk Add on for Windows".

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @hectorvp,

if you don't receive interval logs from that server, it means that the problem isn't in inputs.conf but in outputs.conf or there's a network problem between UF and Indexer to debug.

if you try telnet from that server to the indexer what result do you have?

telnet ip_indexer 9997

 Ciao.

Giuseppe

hectorvp
Communicator

Thanks @gcusello,  

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...