Deployment Architecture

How to remove universal forwarder (or UF configs) using the deployment server?

soumyasaha2506
Loves-to-Learn

Is it at all possible to remove/uninstall UFs by pushing some script(s) from the deployment server. I do not have OS access on these endpoints & servers. OS access option is not possible, hence need to think of some alternative ways to achieve this (if possible).
I can always disable the inputs on the UF but the requirement is to remove the UF installation itself, if not the installation then all configs like inputs.conf/outputs.conf/deploymentclient.conf and other apps (essentially everything in $SPLUNK_HOME/etc/system/local)

Splunk Deployment server version 8.1.x

UF version >7.1
OS - Windows endpoints and servers, Linux servers

0 Karma

PickleRick
SplunkTrust
SplunkTrust

That is one of the reasons I'm not a big fan of the deployment server. With it you can push anything to the forwarder. Including scripts and binaries, which you can call as scripted input. This "something" will be executed with the privileges of user running the splunk process. So in linux case it would most typically be the "splunk" user so you wouldn't be able to do much harm. But on windows the forwarder often runs as Local System user...

0 Karma

somesoni2
Revered Legend

Since you don't have OS access to those UF servers, I'm assuming you didn't install them and most probably won't have access to un-install them. You can't uninstall them using Splunk. Work with Server owners to get the UF un-installed.

You can, however, disabled all inputs on that UF as long as you're managing those inputs via deployment server. On the deployment server, edit app.conf for each of the apps that are distributed to the UFs, adding the following

[install]
state = disabled

Then reload the deployment server so it will distribute the updated/disabled app to all the forwarders.

A disabled app is completely ignored, so this effectively disables all the inputs.conf and outputs.conf that are configured in apps. The only risk may be any UFs that have set inputs or outputs in etc/system/local - hopefully there are none of those in your environment.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...