How to push configuration to multiple Heavy forwar...

sekhar463 · ‎09-22-2022

hai we are using multiple Heavy forwarders

while doing any configuration in inputs.conf during logs collection doing manually in all heavy forwarders.

is there anyway to update and push configuration for all at once

we are using deployment server to manage universal forwarders/clients.

how we can use deployment to manage HF also

gcusello · ‎09-22-2022

Hi @sekhar463,

you can manage HSs in the same way of UFs using your Deployment Server:

you have to copy apps in $SPLUNK_HOME/etc/deployment-apps
create a ServerClass for HFs
deploy apps.

Ciao.

Giuseppe

sekhar463 · ‎09-22-2022

hi @gcusello

Thank you. we are using /etc/rsyslog.d/gtslog.d/i_inputs.conf for syslogs inputs.

is it possible to push all configuration for syslog onboarding which we are using rsyslog

isoutamo · ‎09-23-2022

Hi

as you are managing rsyslog configurations not splunk HF configuration you will need a something else than a Splunk DS. My proposal is to use e.g. ansible for deploy those configurations and do a needed restarts etc. But this is not a issue what we are discussing on splunk community.

r. Ismo

gcusello · ‎09-22-2022

Hi @sekhar463,

as I said, the HF is a forwarder.

So you have to create a TA (containing at least inputs.conf) that reads the files created by your rsyslog and deploy it to the HF using the Deployment Server.

Ciao.

giuseppe

How to push configuration to multiple Heavy forwarders at a time?

heavy forwarder

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?