Deployment Architecture

What apps are not compatible with the deploymen server?

seratoz
New Member

I ask this because I just spent a while trying to debug why installing the "Microsoft Supporting Add-on for Active Directory" would not work when I deployed it using the deployment server. I determined that it is using the REST api to encrypt the password for the LDAP account being configured. This however uses the current server (Master Nodes) private key... and therefore when deployed to the other servers, they cannot perform a successful BIND as they cannot successfully decrypt the LDAP account password. I understand the challenges of secure credentials when deploying however this wouldn't be an issue if two things happened:

  1. Check for running directory and notify the user if the App is being run for the first time from the slave-apps directory to allow them to re-enter the credentials.
  2. Web GUI works after deployment.

    This add-on's web GUI also appears broken when deployed into the slave-apps directory... but I am still troubleshooting this... If anyone has any idea where to start that would be help. I am assuming some sort of static reference (/opt/splunk/etc/apps/SA_ldapsearch) to directories has been made instead of a relative reference ($SPLUNK_DIR/SA_ldapsearch), but its just a guess.

0 Karma
1 Solution

gjanders
SplunkTrust
SplunkTrust

The deployment server as per the documentation can deploy to forwarders, non-clustered indexers, and non-clustered search heads.

Generally I find the only reason you want to use the deployment server is to have an application consistently configured on universal forwarders, it's effectively appears to be a zip/unzip process when using the deployment server so you should not for example deploy to a heavy forwarder where the app is getting configured locally on the heavy forwarder via REST or the GUI interface.

Furthermore the directories you mention(slave-apps) imply that your deploying to indexer cluster peer nodes which is not supported from the deployment server, are you referring to a cluster master?

I recommend you sync the splunk.secret file among the cluster master & indexers/peer nodes post-installation, if you do this after starting up the Splunk instance it will involve more work, this way you can use an encrypted password when deploying from the cluster master.
If you put an unencrypted password into the master-apps in the cluster master, it will end up in the slave-apps on the indexer peers and since slave-apps is read only the encrypted password will appear in /opt/splunk/etc/apps//local/...

View solution in original post

0 Karma

gjanders
SplunkTrust
SplunkTrust

The deployment server as per the documentation can deploy to forwarders, non-clustered indexers, and non-clustered search heads.

Generally I find the only reason you want to use the deployment server is to have an application consistently configured on universal forwarders, it's effectively appears to be a zip/unzip process when using the deployment server so you should not for example deploy to a heavy forwarder where the app is getting configured locally on the heavy forwarder via REST or the GUI interface.

Furthermore the directories you mention(slave-apps) imply that your deploying to indexer cluster peer nodes which is not supported from the deployment server, are you referring to a cluster master?

I recommend you sync the splunk.secret file among the cluster master & indexers/peer nodes post-installation, if you do this after starting up the Splunk instance it will involve more work, this way you can use an encrypted password when deploying from the cluster master.
If you put an unencrypted password into the master-apps in the cluster master, it will end up in the slave-apps on the indexer peers and since slave-apps is read only the encrypted password will appear in /opt/splunk/etc/apps//local/...

0 Karma

seratoz
New Member

Garethatiag, I greatly appreciate your response, I did use incorrect terminology in my question.

Deployment server is for forwarders, Deployer server is for Search Head Clusters, and Master Node is for indexers.

My questions concerns the deploying the addon above using the Master Node. I Re-built the cluster yesterday and shared the secret key among the servers to solve this issue however it still seems apps could be better developed to support the deployment methodology.

0 Karma

gjanders
SplunkTrust
SplunkTrust

I agree, the different methods of deployment are also quite confusing when you first start with Splunk...

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...