Deployment Architecture

How to repoint the UF to the newly added forwarder?

Rakzskull
Path Finder

Hi Guys,


I deployed a new heavy forwarder in our environment, however I'd want to repoint certain devices to the freshly deployed forwarder. I tried updating the ip in the local/deploymentclient.conf, but I'm still getting the old HF information in logs.

Could you demonstrate to me how to do so? 

Labels (2)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Probably you have some apps installed on your UF. Those should be on /opt/splunkforwarder/etc/apps directory. The easiest way to look what you have on outputs.conf and where is use command

<PATH TO YOUR SPLUNK UF HOME>/bin/splunk btool outputs list --debug

That shows all attributes with values and where those are defined.

Is your conf from IHF instead of UF (based on path /opt/splunk instead of /opt/splunkforwarder)?

Anyhow as @gcusello said you should have own app for UF (I prefer several based on needs on your environment) base configurations. On that app you have configurations for where to send events (outputs.conf). Then this can contains also DS configurations or that can be on separate app, it's depending on your environment and needs. 

View solution in original post

0 Karma

Rakzskull
Path Finder

One more thing: just out of curiosity, I changed the output.conf file with the new HF IP.

Is it necessary to also change the same HF IP in  the deploymentclient.conf ?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Rakzskull,

no as me and @isoutamo said in deploymentclient.conf there's the address of the Deployment Server, the server with the role to manage forwarders, instead in outputs.conf there's the address of Indexers or Heavy Forwarders that muste receive logs from the UF.

They can be the same server in labs or little infrastructure, nevere in medium or big deployments, because in this case both Indexers and Deployment Server must be in dedicated servers, so they have diferent IPs.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

isoutamo
SplunkTrust
SplunkTrust

No, DS is just for deploy those configurations to UF. Outputs.conf define where UF will send events. Those are different hosts in almost all not single node environments.

0 Karma

Rakzskull
Path Finder

The local config directory of the UF’s does not contain outputs.conf file. I can only see below files in  opt/splunk/etc/system/local 

deploymentclient.conf

inputs.conf

migration.conf

server.conf

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Probably you have some apps installed on your UF. Those should be on /opt/splunkforwarder/etc/apps directory. The easiest way to look what you have on outputs.conf and where is use command

<PATH TO YOUR SPLUNK UF HOME>/bin/splunk btool outputs list --debug

That shows all attributes with values and where those are defined.

Is your conf from IHF instead of UF (based on path /opt/splunk instead of /opt/splunkforwarder)?

Anyhow as @gcusello said you should have own app for UF (I prefer several based on needs on your environment) base configurations. On that app you have configurations for where to send events (outputs.conf). Then this can contains also DS configurations or that can be on separate app, it's depending on your environment and needs. 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Rakzskull,

as @scelikok and @isoutamo hinted you have to update both deploymentclient.conf and outputs.conf.

My hint is to create a new add-on (called e.g. TA_Forwarders), containing at least three files:

  • apps.conf: describing the add-on,
  • outputs.conf: addressing the HFs or the Indexers to send data,
  • deploymentclient.conf: addressing the Deployment Server.

in this way you can centrally manage your Universal Forwarders without locally intervene on the machines.

Ciao.

Giuseppe

scelikok
SplunkTrust
SplunkTrust

Hi @Rakzskull,

You must update outputs.conf in your UF to send logs to new HF. 

Editing deploymentclient.conf only changes the deployment server address. If you are using deployment server to manage UF's you should update related deployment app outputs.conf configuration.

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

isoutamo
SplunkTrust
SplunkTrust

I suppose that you have own (probably several) app for UF base configuration? Just copy it and change its outputs.conf to point that IHF to send events there. Then switch that app to correct UFs on DS side.

Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...