Deployment Architecture

How can we track configuration changes on a universal forwarder server?


We have around 1K+ universal forwarder servers where we have deployed apps manually without using DS.

Is there any way to track the configuration changes (inputs.conf or outputs.conf) by any un-authorized user?

One way is to use btool and get all current configurations copied to filesystem in a scheduled manner and ingest configurations to Splunk and compare them to track changes. But this approach has limitations due to license and storage for these extra logs.

May I know whether there is any way to implement configuration tracking?

0 Karma


please accept answer if it was helpful 🙂

0 Karma


Hello ankithreddy777,

there might be an app out there, which does that. In general you would have to figure out what you can get from splunk internal and audit logs.

For example you can get changes on datamodel-config with index=_internal sourcetype=splunkd_access (splunk_action=disable OR splunk_action=moce OR splunk_action=enable)

And you could add a list of your users.

Sadly there is no good documentation about the component. Not that I now of.

Hope that helps.

Kind Regards