Deployment Architecture

How to remove universal forwarder (or UF configs) using the deployment server?


Is it at all possible to remove/uninstall UFs by pushing some script(s) from the deployment server. I do not have OS access on these endpoints & servers. OS access option is not possible, hence need to think of some alternative ways to achieve this (if possible).
I can always disable the inputs on the UF but the requirement is to remove the UF installation itself, if not the installation then all configs like inputs.conf/outputs.conf/deploymentclient.conf and other apps (essentially everything in $SPLUNK_HOME/etc/system/local)

Splunk Deployment server version 8.1.x

UF version >7.1
OS - Windows endpoints and servers, Linux servers

0 Karma

Ultra Champion

That is one of the reasons I'm not a big fan of the deployment server. With it you can push anything to the forwarder. Including scripts and binaries, which you can call as scripted input. This "something" will be executed with the privileges of user running the splunk process. So in linux case it would most typically be the "splunk" user so you wouldn't be able to do much harm. But on windows the forwarder often runs as Local System user...

0 Karma

Revered Legend

Since you don't have OS access to those UF servers, I'm assuming you didn't install them and most probably won't have access to un-install them. You can't uninstall them using Splunk. Work with Server owners to get the UF un-installed.

You can, however, disabled all inputs on that UF as long as you're managing those inputs via deployment server. On the deployment server, edit app.conf for each of the apps that are distributed to the UFs, adding the following

state = disabled

Then reload the deployment server so it will distribute the updated/disabled app to all the forwarders.

A disabled app is completely ignored, so this effectively disables all the inputs.conf and outputs.conf that are configured in apps. The only risk may be any UFs that have set inputs or outputs in etc/system/local - hopefully there are none of those in your environment.

0 Karma
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...