- Find Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Problem with deployment apps
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Problem with deployment apps
Hi everyone, I have set a deployment apps with 3 clients, when I edit a file inside one of the app, it is correctly being changed in the local app inside the client.
In the client I have already installed a forwarder that should send the data to the deployment apps, the output.conf should be fine, I copy it a version:
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = indexer1
[tcpout-server://indexer1:9997]
I m also listening the port 9997, but the data are not coming through and furthermore on the forwarding manager, under "phone home" there is a red triangle with an exclamation mark in the middle. what it means?
In the log file I didn't find anything useful, I can ping the client from the deployment apps and before to use the deployment app, the clients were sending the data.
Let me know, thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For the phone-home: every one of the clients needs to have a deploymentclient.conf file that points to the deployment server. This has to be done manually the first time - there is no way to deploy the initial deploymentclient.conf file via the deployment server!
Your deploymentclient.conf file should point to the deployment server like this:
[deployment-client]
[target-broker:deploymentServer]
targetUri=YourDeplServer.YourCo.com:8089
Note that deploymentclient.conf points to the splunkd process (usually on port 8089) - NOT the forwarding/receiving port! If this file is correct, then that should solve the "phone home" problem. And once the clients phone home, they should be updated with the appropriate apps / configuration files.
Your outputs.conf file seems fine. Your server does have to include the port, like this
server = 10.38.76.82:9997
Note that in outputs.conf, you must specify the port where the indexer(s) is listening.
Finally, have you configured the indexer(s) to listen on port 9997?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I used
splunk set deploy-poll indexer1:8089
to point the indexer to the forwarder, also if I use ./splunk show deploy-poll, is working fine.
in the output.conf I'm using only the 9997 port, that is open and it is listening, I have also checked using telnet.
Any other ideas?
Maybe I can add that 2 clients are windows and 2 clients are linux? does this change anything?
Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm currently checking using netstat -at and I m listening at the port 9997.
As local address I have my indexer:9997 and my indexer:8089, as foreign address I have the ip of the forwarder, but this only for one of the 4 forwarders, could this means anything ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you set the deployment option to restart splunkd on the forwarder after installing the app?
I assume you are running Splunk 6.2.3?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have a syntax problem. It should be
server = indexer1:9997
Also, you don't need this line at all - it is optional and does nothing for you.
[tcpout-server://indexer1:9997]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I removed the last line, what's the meaning of it? And I already write the port after the indexer ._. Basically it is not phoning home ( I know, that sounds funny).
When I check on the splunkd.log, it say "splunk@indexer1:8089" invalid target and/or port
and connection with host=indexer1 failed
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Port 8089 is normally assigned to splunkd - if it is, you can't use it for forwarding. What port do you write "after the indexer?"
At this point, it would be helpful to see (1) the current text of outputs.conf and (b) the complete error message from splunkd.log. I assume that you are talking about the splunkd.log on the forwarder.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is a copy and paste of the file:
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = 10.38.76.82:9997
[tcpout-server://10.38.76.82:9997]
thank you, for your help : )
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This outputs.conf file looks fine. Are you still getting the error? What is the full text of the error message in splunkd.log? What version of Splunk are you using?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the latest version of splunk. The message say : TcpOtputProc : UniversalForwarder not configured. Please configure outputs.conf
And all my clients are not "phoning home"
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
