Deployment Architecture

Turning on SplunkLightForwarder via deployment Server?

Builder

I'm setting up our deployment server configuration. I have the following set up in my serverclass.conf:

[serverClass:WintelServers]
whitelist.0 = pw*.wil.csc.local
whitelist.1 = pw*.cscinfo.com
whitelist.2 = pw*

[serverClass:WintelServers:app:winevntlogs]
stateOnClient = enabled
restartSplunkd = true

[serverClass:WintelServers:app:forward_to_splunk]
stateOnClient = enabled
restartSplunkd = true

[serverClass:WintelServers:app:SplunkLightForwarder]
stateOnClient = enabled
restartSplunkd = true

The Windows server I have as a deployment-client is picked up and shows the configuration and the application as enabled, but the web interface is still available.

I then tried the following:

I set up $SPLUNK_HOME/etc/deployment-apps/SplunkLightForwarder/default/app.conf with the following:

[install]
state = enabled

But that didn't work at all..

Tags (1)
1 Solution

Splunk Employee
Splunk Employee

Did you copy (or symlink) the entire SplunkLightForwarder app into $SPLUNK_HOME/etc/deployment-apps? If not, and you just made a directory and stuck in the app.conf file, the shipped app will be wiped and replaced with that mostly-empty directory (and thus won't have any of the Light Forwarder configurations).

View solution in original post

Path Finder

but the web interface is still available.

I had the same exact problem

Did you copy (or symlink) the entire SplunkLightForwarder app into $SPLUNK_HOME/etc/deployment-apps? If not, and you just made a directory and stuck in the app.conf file, the shipped app will be wiped and replaced with that mostly-empty directory (and thus won't have any of the Light Forwarder configurations).

Copying the entire app is what worked for me.

Builder

That's basically what I did. I set up my deployment server, made copies of the splunklightforwarder and modified the inputs.conf and outputs.conf files..

It's pretty handy!

0 Karma

Builder

Does turning on SplunkLightForwarder shut down apps such as the search app?

Here's the deal: I was having problems with specifying what to monitor and where to forward the data to on our windows server.

I basically copied the search app over to deployment-apps and renamed it to windows_search. In this app, I configured "windows_search" with the appropriate inputs.conf to pull the event logs and assign the right index to them.

This worked fine, until I set up the LightWeightForwarder to enabled. It then stopped forwarding events.

As soon as I disabled the LightWeightForwarder it worked again 😞

Any ideas how I can make this work?

EDIT Update: UGGH, just realized it's really not working either

Okay, I guess I need to figure out how to do this. I want to be able to set up a deployment server that will (based on host name) set up forwarding, point to the right inputs, and enable lightweightforwarding. Is that possible?

0 Karma

Splunk Employee
Splunk Employee

Did you copy (or symlink) the entire SplunkLightForwarder app into $SPLUNK_HOME/etc/deployment-apps? If not, and you just made a directory and stuck in the app.conf file, the shipped app will be wiped and replaced with that mostly-empty directory (and thus won't have any of the Light Forwarder configurations).

View solution in original post

Builder

Whoops, I'll take a look at it tomorrow.

0 Karma

Super Champion

I think there is an issue with the Light Forwarders not disabling the web interface, as you point out. I think you need to set the service to disabled (or manual) by hand.... Not sure if this is scheduled to be fixed or not...

Someone please correct me if I'm wrong.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!