Deployment Architecture

Is it possible to retrieve the hashes of apps pushed by the deployment server before deploying?

quasikaze
Explorer

According to the top answer in the question titled "Deployment Server - when app is redeployed, what is overwritten" (url listed below), the deployment server creates a hash of an app and compares it to the hash of what it has and then decides accordingly. Is there a file or database somewhere on the deployment server that contains the listing of hashes by app and computer? I would like to be able to retrieve them to validate the users aren't modifying anything on the universal forwarders. I want to get those hashes and then compare them to a hash of what's currently on the machine. I could write a script to go through and do this myself, but if there is some type of backend functionality Splunk has that I'm unaware of, that would be wonderful. Maybe there is already a different way to prevent a user from altering anything?

0 Karma

somesoni2
Revered Legend

On Deployment Server, you'll find the deployment bundles for each app assigned for each serverclass defined in serverclass.conf in below path

$SPLUNK_HOME/var/run/tmp/<<ServerClassName>>

App bundles to be found in $SPLUNK_HOME/var/run/tmp/<<ServerClassName>>/<<appname>>-timestmap.bundle

On the client/forwarder, last received bundle is stored in following path.

$SPLUNK_HOME/var/run/<<ServerClassName>>/<<appname>>-timestmap.bundle
0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.