Deployment Architecture

How to remove universal forwarder (or UF configs) using the deployment server?


Is it at all possible to remove/uninstall UFs by pushing some script(s) from the deployment server. I do not have OS access on these endpoints & servers. OS access option is not possible, hence need to think of some alternative ways to achieve this (if possible).
I can always disable the inputs on the UF but the requirement is to remove the UF installation itself, if not the installation then all configs like inputs.conf/outputs.conf/deploymentclient.conf and other apps (essentially everything in $SPLUNK_HOME/etc/system/local)

Splunk Deployment server version 8.1.x

UF version >7.1
OS - Windows endpoints and servers, Linux servers

0 Karma


That is one of the reasons I'm not a big fan of the deployment server. With it you can push anything to the forwarder. Including scripts and binaries, which you can call as scripted input. This "something" will be executed with the privileges of user running the splunk process. So in linux case it would most typically be the "splunk" user so you wouldn't be able to do much harm. But on windows the forwarder often runs as Local System user...

0 Karma


Since you don't have OS access to those UF servers, I'm assuming you didn't install them and most probably won't have access to un-install them. You can't uninstall them using Splunk. Work with Server owners to get the UF un-installed.

You can, however, disabled all inputs on that UF as long as you're managing those inputs via deployment server. On the deployment server, edit app.conf for each of the apps that are distributed to the UFs, adding the following

state = disabled

Then reload the deployment server so it will distribute the updated/disabled app to all the forwarders.

A disabled app is completely ignored, so this effectively disables all the inputs.conf and outputs.conf that are configured in apps. The only risk may be any UFs that have set inputs or outputs in etc/system/local - hopefully there are none of those in your environment.

0 Karma
Get Updates on the Splunk Community!

Streamline Data Ingestion With Deployment Server Essentials

REGISTER NOW!Every day the list of sources Admins are responsible for gets bigger and bigger, often making the ...

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

REGISTER NOW!Join us for a Tech Talk around our latest release of Splunk Enterprise Security 7.2! We’ll walk ...

Introduction to Splunk AI

WATCH NOWHow are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. ...