Deployment Architecture

Why is deployment server ignoring inputs.conf and server.conf settings for host and serverName?

Engager

Due to automation constraints, we can't change the actual hostname on the Linux box, and they are replaced with different IP/hostname each morning. I can set the hostname in the local inputs.conf, and server.conf, but that still does not cause the DS to deploy the app, even though it correctly labels the events with the assigned host name that are sent by the default all_clients apps.

I have to manually add the new IP to the clients list to get the other app to install, and after that i get events in the index with the desired hostname.

Somehow DS only recognizes the actual Linux host name for deployments and ignores the settings in inputs.conf and server.conf

How can I force the app to be installed other than the native linux host name? This app is only for a few servers out of hundreds.

0 Karma

Esteemed Legend

Don't use DNS/hostnames at all, give each box a splunk-specific hostnamish name that never has to change. The dox here:
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Deploymentclientconf

Say this:

clientName = deploymentClient
* Defaults to deploymentClient.
* A name that the deployment server can filter on.
* Takes precedence over DNS names.

So do:

clientName = DBServer1234

And use that in your DS whitelist/blacklist.

0 Karma

Contributor

Are these VMs?

0 Karma

Engager

Yes they are VMs.

I think I found a workaround by setting the desired name in deploymentclient.conf

I manually added it and restarted services and deployment server picked it up and sent the app.

Final test is to see if adding that to automation process will allow hands off app install when deployed.

0 Karma

Contributor

cool, so when i work with VM's I black list the VM they build the golden image on and then and white list the ones you want to manage via the deployment server. (i only place the deploymnetclient.conf file on the golden image) You also should be running ./splunk clone-prep-clear-config on the golden image, this will remove the server names and other unique things. also setting the app to auto restart when the clients check in and grabs the updated apps will be needed, its just a check mark box in the dep server

https://docs.splunk.com/Documentation/Forwarder/7.2.5/Forwarder/Makeauniversalforwarderpartofahostim...

One thing to be aware of is... The "check sum" in the .conf files can "out of sync" if you deploy .conf files via SCCM or have them set in the golden image.

We found this out the hard way with SCCM, none of our deployment files were applying because they looked the same on the deplyer and i assume the UF would say " yah i am good so no need to update my files... ever again." we fix by adding a comment like #FROM SCCM and then when they check in it over writes the .conf files.

hope this helps!

0 Karma