Solved: Why is deployment client not showing up on the dep...

smcdonald20 · ‎04-25-2018

I am having an issue where some of my deployment clients are not showing up under the clients tab on the forwarder management console.

I have checked the below:
Telnet to deployment server on 8089 successfully - Yes
deploymentclient.conf targetUri set correctly - Yes ( hostname.options-it.com:8089)

Is there anything else I should be checking?
From reading online I tried to do the command Splunk show deploy-poll but got an error "Authentication needed, run "splunk login" but cannot run "splunk login" from the bin folder. Is this a clue of something wrong?

Thanks

smcdonald20 · ‎04-30-2018

After looking at Diag, I found out that the GUID for the deployment Client seem to be the same on several machines .

you can see the same doing the following search : index=_internal "changed some of its properties on the latest phone home" |stats values(ip) values(hostname)
from your DMC or the deployment server ,
you will get a list of all the hostnames and IP that are generating the error , see attached CSV file .

As a solution you can delete the the GUID is in $SPLUNK_HOME/etc/instance.cfg and restart splunk after that ,

for future reference assuming you are cloning client OS , you should follow this documentation :
http://docs.splunk.com/Documentation/Forwarder/7.0.3/Forwarder/Makeauniversalforwarderpartofahostima...

View solution in original post

smcdonald20 · ‎04-30-2018

After looking at Diag, I found out that the GUID for the deployment Client seem to be the same on several machines .

you can see the same doing the following search : index=_internal "changed some of its properties on the latest phone home" |stats values(ip) values(hostname)
from your DMC or the deployment server ,
you will get a list of all the hostnames and IP that are generating the error , see attached CSV file .

As a solution you can delete the the GUID is in $SPLUNK_HOME/etc/instance.cfg and restart splunk after that ,

for future reference assuming you are cloning client OS , you should follow this documentation :
http://docs.splunk.com/Documentation/Forwarder/7.0.3/Forwarder/Makeauniversalforwarderpartofahostima...

p_gurav · ‎04-25-2018

Can you try running :

splunk show deploy-poll -auth admin:changeme

smcdonald20 · ‎04-25-2018

Thanks! This works, but it brings me back the expected deployment server opspkdply:8089.
Any other ideas of why the client isn't showing up on the deployment server?

p_gurav · ‎04-25-2018

Can you checked in _internal logs for forwarder? Is there any error?

smcdonald20 · ‎04-25-2018

In Splunkd logs i do see the following error:
DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected
DS_DC_Common - Deployment Client initialized.
ServerRoles - Declared role=deployment_client.
DS_DC_Common - Deployment Server not available on a dedicated forwarder.

@p_gurav do any of the above mean anything to you?

p_gurav · ‎04-25-2018

Did you restart forwarder after setting deploy-poll? Also can you share deploymentclient.conf file ?

smcdonald20 · ‎04-25-2018

I didn't actually make any changes. I ran splunk show deploy-poll.
After seeing this comment, i ran splunk set deploy-poll but it showed "no configuration changes made".

I have restarted the forwarder regardless, do i also need to restart Splunk on the deployment server?

Why is deployment client not showing up on the deployment console?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?