Deployment Architecture

Question about Serverclass.conf ?

sieutruc
Contributor

Hello,

I want to use deployment server to separate 2 kind of system machine: Windows 2000 and Windows 2003.
In the deployment server, i have serverclass.conf as:

[global]
whitelist.0 = *

[serverClass:testMachine1:app:deploy_input1]

stateOnClient = enabled

restartSplunkd = true

[serverClass:testMachine1:app:deploy_output1]

stateOnClient = enabled

restartSplunkd = true

[serverClass:testMachine1:app:deploy_perfmon1]

stateOnClient = enabled

restartSplunkd = true

[serverClass:testMachine1]

filterType = blacklist

whitelist.0 = client20_*

[serverClass:testMachine2:app:deploy_input2]

stateOnClient = enabled

restartSplunkd = true

[serverClass:testMachine2:app:deploy_output2]

stateOnClient = enabled

restartSplunkd = true

[serverClass:testMachine2:app:deploy_perfmon2]

stateOnClient = enabled

restartSplunkd = true

[serverClass:testMachine2]

filterType = blacklist

whitelist.0 = client23_*

And in the Wins 2003 client machine, i configured deploymentclient.conf as:

[deployment-client]

clientName=client23_01

phoneHomeIntervalInSecs=20

[target-broker:deploymentServer]

targetUri = splunkserver02:8089

I saw that this client downloaded all the applications in 2 classes, totally 6 apps enumerated above. Can you tell me what wrong i got ?

0 Karma
1 Solution

emiller42
Motivator

I would change the way you're using whitelists/blacklists as your config is very permissive by default. For example, the global stanza whitelists everything that isn't explicitly blacklisted in a more specific stanza. In your serverclass stanzas, the filtertype=blacklist means that the default state is to match unless told otherwise. (So mistakes in your filters mean the app goes out to a wider than intended audience)

I would use the following for your serverclass.conf

[global]
blacklist.0 = *

[serverClass:testMachine1]
filterType = whitelist
whitelist.0 = client20_*
stateOnClient = enabled
restartSplunkd = true
[serverClass:testMachine1:app:deploy_input1]
[serverClass:testMachine1:app:deploy_output1]
[serverClass:testMachine1:app:deploy_perfmon1]

[serverClass:testMachine2]
filterType = whitelist
whitelist.0 = client23_*
stateOnClient = enabled
restartSplunkd = true
[serverClass:testMachine2:app:deploy_input2]
[serverClass:testMachine2:app:deploy_output2]
[serverClass:testMachine2:app:deploy_perfmon2]

This means that anything that talks to the deployment server starts out as blacklisted. Then the serverClass stanzas also say the default state is blacklisted unless they match the whitelist.0 filter. I also moved the stateOnClient and restartSplunkd lines to the serverClass as they're all defined the same. But you can keep them under the app stanzas if you want to specify them individually.

View solution in original post

emiller42
Motivator

I would change the way you're using whitelists/blacklists as your config is very permissive by default. For example, the global stanza whitelists everything that isn't explicitly blacklisted in a more specific stanza. In your serverclass stanzas, the filtertype=blacklist means that the default state is to match unless told otherwise. (So mistakes in your filters mean the app goes out to a wider than intended audience)

I would use the following for your serverclass.conf

[global]
blacklist.0 = *

[serverClass:testMachine1]
filterType = whitelist
whitelist.0 = client20_*
stateOnClient = enabled
restartSplunkd = true
[serverClass:testMachine1:app:deploy_input1]
[serverClass:testMachine1:app:deploy_output1]
[serverClass:testMachine1:app:deploy_perfmon1]

[serverClass:testMachine2]
filterType = whitelist
whitelist.0 = client23_*
stateOnClient = enabled
restartSplunkd = true
[serverClass:testMachine2:app:deploy_input2]
[serverClass:testMachine2:app:deploy_output2]
[serverClass:testMachine2:app:deploy_perfmon2]

This means that anything that talks to the deployment server starts out as blacklisted. Then the serverClass stanzas also say the default state is blacklisted unless they match the whitelist.0 filter. I also moved the stateOnClient and restartSplunkd lines to the serverClass as they're all defined the same. But you can keep them under the app stanzas if you want to specify them individually.

jhedgpeth
Path Finder
  • I realize this is old, but others might find it useful.

you might find a condensed version more supportable. We use this method to avoid all the redundant settings, and it ends up being more readable, I think.

# use these defaults
[global]
filterType = whitelist
stateOnClient = enabled
restartSplunkd = true

# class definitions
[serverClass:win2000]
whitelist.0 = client20_*

[serverClass:win2003]
whitelist.0 = client23_*

# app deployments
[serverClass:win2000:app:deploy_input1]
[serverClass:win2000:app:deploy_output1]
[serverClass:win2000:app:deploy_perfmon1]

[serverClass:win2003:app:deploy_input2]
[serverClass:win2003:app:deploy_output2]
[serverClass:win2003:app:deploy_perfmon2]
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...