I want to setup my deployment server to server two different configuration files based on hostname.
I have setup the following serverclass.conf on the deployment server.
[global]
[serverClass:webservers]
whitelist.0=host1.us-west-1.compute.amazonaws.com
[serverClass:webservers:app:web]
[serverClass:proxies]
whitelist.0=host2.us-west-1.compute.amazonaws.com
[serverClass:proxies:app:proxy]
I believe I have created the match and the destination for where the forwarder picks up it app from: /$SPLUNK_HOME/etc/deployment-apps/webservers
The app directory should now contain the configuration files i need to ingest the required logfiles and forward them to the correct index i.e. inputs.conf and outputs.conf
If all I need the forwarder to do is to ingest some specific log files and have them forwarded to the a specific index, I only require an inputs.conf and outputs.conf file in this app directory.
ie. I have created: /$SPLUNK_HOME/etc/deployment-apps/webservers/inputs.conf
[monitor://opt/log/www1]
sourcetype = apache
index = web
[monitor://opt/log/www2]
sourcetype = apache
index = web
[monitor://opt/log/www3]
sourcetype = apache
index = web
And
outputs.conf
[tcpout:group1]
index1.us-west-1.compute.amazonaws.com:9997,index2.compute.amazonaws.com:9997
I have reloaded my deployment server and clients, now I see the following when i run ./splunk list deploy-clients:
Deployment client: ip=10.171.2.174, dns=forwarder1, hostname=ip-10-171-2-174, mgmt=8089, build=128297, name=78A0ADBD-7476-4C9D-9ABF-66BEB98670D6, id=connection_10.171.2.174_8089_ip-10-171-2-174.us-west-1.compute.internal_ip-10-171-2-174_78A0ADBD-7476-4C9D-9ABF-66BEB98670D6, utsname=linux-x86_64
utsname: linux-x86_64
name: 78A0ADBD-7476-4C9D-9ABF-66BEB98670D6
ip: 10.171.2.174
hostname: ip-10-171-2-174
build: 128297
dns: ip-10-171-2-174.us-west-1.compute.internal
mgmt: 8089
phoneHomeTime: Sat Aug 25 07:59:33 2012
id: connection_10.171.2.174_8089_ip-10-171-2-174.us-west-1.compute.internal_ip-10-171-2-174_78A0ADBD-7476-4C9D-9ABF-66BEB98670D6
When I check the/opt/splunkforwarder/etc/system/local/inputs.conf file on the forwarder, it appears not to have changed at all. Shouldn't it have updated with the new inputs.conf configuration from the deployment server?
Looking at your config, you have defined the app to be deployed as "web
" but your config is in a folder called "webservers
"
Rename the folder or change the serverclass.conf to be
[serverClass:webservers]
whitelist.0=host1.us-west-1.compute.amazonaws.com
[serverClass:webservers:app:webservers]
Besides what BobM pointed out, the created App will not be put in /opt/splunkforwarder/etc/system/local/ it will be put in /opt/splunkforwarder/etc/app/
Looking at your config, you have defined the app to be deployed as "web
" but your config is in a folder called "webservers
"
Rename the folder or change the serverclass.conf to be
[serverClass:webservers]
whitelist.0=host1.us-west-1.compute.amazonaws.com
[serverClass:webservers:app:webservers]
Thanks for that, got a bit confused with folder names and app names.
Thanks Bobm.
The whitelist was OK, sorry I edited it to avoid publishing too much information.