Deployment Architecture

deployment question regarding apps

edchow
Explorer

I want to setup my deployment server to server two different configuration files based on hostname.

I have setup the following serverclass.conf on the deployment server.

[global]

[serverClass:webservers]
whitelist.0=host1.us-west-1.compute.amazonaws.com
[serverClass:webservers:app:web]

[serverClass:proxies]
whitelist.0=host2.us-west-1.compute.amazonaws.com
[serverClass:proxies:app:proxy]

I believe I have created the match and the destination for where the forwarder picks up it app from: /$SPLUNK_HOME/etc/deployment-apps/webservers

The app directory should now contain the configuration files i need to ingest the required logfiles and forward them to the correct index i.e. inputs.conf and outputs.conf

If all I need the forwarder to do is to ingest some specific log files and have them forwarded to the a specific index, I only require an inputs.conf and outputs.conf file in this app directory.

ie. I have created: /$SPLUNK_HOME/etc/deployment-apps/webservers/inputs.conf

[monitor://opt/log/www1]
sourcetype = apache
index = web
[monitor://opt/log/www2]
sourcetype = apache
index = web
[monitor://opt/log/www3]
sourcetype = apache
index = web

And

outputs.conf

[tcpout:group1]
index1.us-west-1.compute.amazonaws.com:9997,index2.compute.amazonaws.com:9997

I have reloaded my deployment server and clients, now I see the following when i run ./splunk list deploy-clients:

Deployment client: ip=10.171.2.174, dns=forwarder1, hostname=ip-10-171-2-174, mgmt=8089, build=128297, name=78A0ADBD-7476-4C9D-9ABF-66BEB98670D6, id=connection_10.171.2.174_8089_ip-10-171-2-174.us-west-1.compute.internal_ip-10-171-2-174_78A0ADBD-7476-4C9D-9ABF-66BEB98670D6, utsname=linux-x86_64
utsname: linux-x86_64
name: 78A0ADBD-7476-4C9D-9ABF-66BEB98670D6
ip: 10.171.2.174
hostname: ip-10-171-2-174
build: 128297
dns: ip-10-171-2-174.us-west-1.compute.internal
mgmt: 8089
phoneHomeTime: Sat Aug 25 07:59:33 2012
id: connection_10.171.2.174_8089_ip-10-171-2-174.us-west-1.compute.internal_ip-10-171-2-174_78A0ADBD-7476-4C9D-9ABF-66BEB98670D6

When I check the/opt/splunkforwarder/etc/system/local/inputs.conf file on the forwarder, it appears not to have changed at all. Shouldn't it have updated with the new inputs.conf configuration from the deployment server?

Tags (1)
0 Karma
1 Solution

BobM
Builder

Looking at your config, you have defined the app to be deployed as "web" but your config is in a folder called "webservers"

Rename the folder or change the serverclass.conf to be

[serverClass:webservers] 
whitelist.0=host1.us-west-1.compute.amazonaws.com 
[serverClass:webservers:app:webservers]

View solution in original post

0 Karma

jgedeon120
Contributor

Besides what BobM pointed out, the created App will not be put in /opt/splunkforwarder/etc/system/local/ it will be put in /opt/splunkforwarder/etc/app/. Second, you do notice/know that your whitelist.0 is not matching anything being found from the forwarder connecting to your deployment server?

0 Karma

BobM
Builder

Looking at your config, you have defined the app to be deployed as "web" but your config is in a folder called "webservers"

Rename the folder or change the serverclass.conf to be

[serverClass:webservers] 
whitelist.0=host1.us-west-1.compute.amazonaws.com 
[serverClass:webservers:app:webservers]
0 Karma

edchow
Explorer

Thanks for that, got a bit confused with folder names and app names.

Thanks Bobm.

The whitelist was OK, sorry I edited it to avoid publishing too much information.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...