Deployment Architecture

How to remove universal forwarder (or UF configs) using the deployment server?


Is it at all possible to remove/uninstall UFs by pushing some script(s) from the deployment server. I do not have OS access on these endpoints & servers. OS access option is not possible, hence need to think of some alternative ways to achieve this (if possible).
I can always disable the inputs on the UF but the requirement is to remove the UF installation itself, if not the installation then all configs like inputs.conf/outputs.conf/deploymentclient.conf and other apps (essentially everything in $SPLUNK_HOME/etc/system/local)

Splunk Deployment server version 8.1.x

UF version >7.1
OS - Windows endpoints and servers, Linux servers

0 Karma


That is one of the reasons I'm not a big fan of the deployment server. With it you can push anything to the forwarder. Including scripts and binaries, which you can call as scripted input. This "something" will be executed with the privileges of user running the splunk process. So in linux case it would most typically be the "splunk" user so you wouldn't be able to do much harm. But on windows the forwarder often runs as Local System user...

0 Karma


Since you don't have OS access to those UF servers, I'm assuming you didn't install them and most probably won't have access to un-install them. You can't uninstall them using Splunk. Work with Server owners to get the UF un-installed.

You can, however, disabled all inputs on that UF as long as you're managing those inputs via deployment server. On the deployment server, edit app.conf for each of the apps that are distributed to the UFs, adding the following

state = disabled

Then reload the deployment server so it will distribute the updated/disabled app to all the forwarders.

A disabled app is completely ignored, so this effectively disables all the inputs.conf and outputs.conf that are configured in apps. The only risk may be any UFs that have set inputs or outputs in etc/system/local - hopefully there are none of those in your environment.

0 Karma
Get Updates on the Splunk Community!

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...

What’s New in Splunk Cloud Platform 9.1.2308?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2308! Analysts can ...