Hi Guys,
I deployed a new heavy forwarder in our environment, however I'd want to repoint certain devices to the freshly deployed forwarder. I tried updating the ip in the local/deploymentclient.conf, but I'm still getting the old HF information in logs.
Could you demonstrate to me how to do so?
Probably you have some apps installed on your UF. Those should be on /opt/splunkforwarder/etc/apps directory. The easiest way to look what you have on outputs.conf and where is use command
<PATH TO YOUR SPLUNK UF HOME>/bin/splunk btool outputs list --debug
That shows all attributes with values and where those are defined.
Is your conf from IHF instead of UF (based on path /opt/splunk instead of /opt/splunkforwarder)?
Anyhow as @gcusello said you should have own app for UF (I prefer several based on needs on your environment) base configurations. On that app you have configurations for where to send events (outputs.conf). Then this can contains also DS configurations or that can be on separate app, it's depending on your environment and needs.
One more thing: just out of curiosity, I changed the output.conf file with the new HF IP.
Is it necessary to also change the same HF IP in the deploymentclient.conf ?
Hi @Rakzskull,
no as me and @isoutamo said in deploymentclient.conf there's the address of the Deployment Server, the server with the role to manage forwarders, instead in outputs.conf there's the address of Indexers or Heavy Forwarders that muste receive logs from the UF.
They can be the same server in labs or little infrastructure, nevere in medium or big deployments, because in this case both Indexers and Deployment Server must be in dedicated servers, so they have diferent IPs.
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated by all the contributors 😉
No, DS is just for deploy those configurations to UF. Outputs.conf define where UF will send events. Those are different hosts in almost all not single node environments.
The local config directory of the UF’s does not contain outputs.conf file. I can only see below files in opt/splunk/etc/system/local
deploymentclient.conf
inputs.conf
migration.conf
server.conf
Probably you have some apps installed on your UF. Those should be on /opt/splunkforwarder/etc/apps directory. The easiest way to look what you have on outputs.conf and where is use command
<PATH TO YOUR SPLUNK UF HOME>/bin/splunk btool outputs list --debug
That shows all attributes with values and where those are defined.
Is your conf from IHF instead of UF (based on path /opt/splunk instead of /opt/splunkforwarder)?
Anyhow as @gcusello said you should have own app for UF (I prefer several based on needs on your environment) base configurations. On that app you have configurations for where to send events (outputs.conf). Then this can contains also DS configurations or that can be on separate app, it's depending on your environment and needs.
Hi @Rakzskull,
as @scelikok and @isoutamo hinted you have to update both deploymentclient.conf and outputs.conf.
My hint is to create a new add-on (called e.g. TA_Forwarders), containing at least three files:
in this way you can centrally manage your Universal Forwarders without locally intervene on the machines.
Ciao.
Giuseppe
Hi @Rakzskull,
You must update outputs.conf in your UF to send logs to new HF.
Editing deploymentclient.conf only changes the deployment server address. If you are using deployment server to manage UF's you should update related deployment app outputs.conf configuration.
I suppose that you have own (probably several) app for UF base configuration? Just copy it and change its outputs.conf to point that IHF to send events there. Then switch that app to correct UFs on DS side.