Deployment Architecture

DeploymentClient not grabbing Deployment server apps.

jpfry
Explorer

Alright, I've been researching this for the last few hours and I'm at loss. Here's what I'm having issues with.

I have three indexers that are also working as deployment servers, along with a dedicated search head. Each indexer has identical data in the $SPLUNK_HOME/etc/deployment-apps and $SPLUNK_HOME/etc/system/local directories. The problem I'm having is that the deployment clients are not picking up the 'apps' in $SPLUNK_HOME/etc/deployment-apps. (More specifically the ones I've created that will distribute the outputs.conf and the inputs.conf. (based on windows vs linux))
Here are the three apps I've created:

$SPLUNK_HOME/etc/deployment-apps/fwd_to_idx
which contains a local directory and the outputs.conf file

[tcpout]

defaultGroup=idx_group
autoLBFrequency=40

[tcpout:idx_group]

server=indexer1:9997,indexer2:9997,indexer3:9997

The other two apps are:
$SPLUNK_HOME/etc/deployment-apps/WinEvt-sec1/local/inputs.conf
and

$SPLUNK_HOME/etc/deployment-apps/LinuxEvt-standard/local/inputs.conf

the serverclass.conf file is as follows:

[global]

blacklist.0=*

repositoryLocation = /opt/splunk/etc/deployment-apps

targetRepositoryLocation = $SPLUNK_HOME/etc/apps

tmpFolder = $SPLUNK_HOME/var/run/tmp

[serverClass:DeployConfig]

machineTypes=windows-intel, windows-x64, windows-*, linux-i686, linux-x86_64, linux-*

[serverClass:DeployConfig:app:fwd_to_idx]

stateOnClient=enabled

restartSplunkd=true

# Class specifications for ALL Windows servers.

[serverClass:WindowsMachines]

machineTypes=windows-intel, windows-x64, windows-*

# Forwarding (inputs.conf)

[serverClass:WindowsMachines:app:WinEvt-sec1]

stateOnClient=enabled

restartSplunkd=true

# Class specification for ALL Linux servers.

[serverClass:LinuxOS]

machineTypes=linux-i686, linux-x86_64, linux-*

# Forwarding (inputs.conf)

[serverClass:LinuxOS:app:LinuxEvt-standard]

stateOnClient=enabled

restartSplunkd=true

I'm testing on one linux server now until I can get the deployment working correctly, here is the deploymentclients.conf file:

[deployment-client]

disabled = false

[target-broker:deploymentServer]

targetUri = mycompanyindexers:8089

I've configured round robin DNS to house all three indexers information so I can use mycompanyindexers in the deploymentclients.conf file and at any given time any forwarder would be able to pull its config from any one of the three indexers.

Anyone have any thoughts as to why the clients aren't getting the directories in the deployment-apps directory? If you need more info please let me know

Sorry for the length btw.

1 Solution

hans
Splunk Employee
Splunk Employee

I don't know whether this helps but I bumped into this problem as well where my DS is a Windows and my DC is a Linux machine. It turns out that

targetRepositoryLocation = $SPLUNK_HOME\etc\apps
tmpFolder = $SPLUNK_HOME\var\run\tmp

the values have to be converted into Unix paths. You can try to do the same by adding them into your [serverClass:DeployConfig] stanza and change the paths to Windows paths.

Hope that helps.

View solution in original post

jpfry
Explorer

Actually it was both. I removed the
enableSplunkdSSL = false line from the server.conf file. I added that just to test a theory I had regarding replication. Now that it is enabled things seem to run smoothly. I still wonder why it wouldn't work with SSL disabled.

0 Karma

hans
Splunk Employee
Splunk Employee

I don't know whether this helps but I bumped into this problem as well where my DS is a Windows and my DC is a Linux machine. It turns out that

targetRepositoryLocation = $SPLUNK_HOME\etc\apps
tmpFolder = $SPLUNK_HOME\var\run\tmp

the values have to be converted into Unix paths. You can try to do the same by adding them into your [serverClass:DeployConfig] stanza and change the paths to Windows paths.

Hope that helps.

jpfry
Explorer

Yeah, I actually tried it that way and still wasn't able to get the apps to their respective clients. After I removed the enableSplunkdSSL from the server.conf and verified that I was actually getting the apps, I tried changing the targetRepositoryLocation to reflect a more Windows friendly path and it worked. Simply because I wanted to test every possible outcome. The clients were able to successfully get their apps with both windows format and the Unix format.

0 Karma

hans
Splunk Employee
Splunk Employee

Are only deployment clients on Windows that are not getting the apps or both on the Linux and the Windows?

0 Karma

jpfry
Explorer

Update:

I was able to get the deployment clients to communicate with the deployment servers and pick up their respective apps. I was having issues with replication and I was testing whether or not the line:

enableSplunkdSSL = false (added to the server.conf file)

would help, which it did, I wasn't seeing replication alerts. Strangely, everything I've read stated that deployment would work if that flag was set to false on all of the indexers. Again, I'm still researching, and will post my findings.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...