Deployment Architecture

Why are Universal Forwarders not getting pushed config apps?

jpfrancetic
Path Finder

Hi Splunk community,

I am currently having an issue with deploying apps to universal forwards.  On the deployment server side, I have the hosts set up in the whitelist for specific server classes and on the UF side, I have a deployment client on the hosts plus they are phoning home into the DS. 

We are not receiving logs from these UFs because the app that contains the input.conf for these servers is not getting pushed to the UFs. 

Is there a way to force the app to get pushed / am I missing a configuration that is causing this to happen? This has been a recurring problem because the app sporadically gets removed from these servers.

Thanks in advance!

 

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

you should try to find why your DC is not loading / enabling package from your DS. You could try to find the reason from internal logs with queries

index=_internal component=DS* host=<your DS>
index=_internal component=DC* host=<your UF/HF>
index=_internal component=Deploy* host=<your UF/HF>

Those messages should told to you what there is happening.

r. Ismo 

0 Karma
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...