Solved: Re: deployment question regarding apps

edchow · ‎08-24-2012

I want to setup my deployment server to server two different configuration files based on hostname.

I have setup the following serverclass.conf on the deployment server.

[global]

[serverClass:webservers]
whitelist.0=host1.us-west-1.compute.amazonaws.com
[serverClass:webservers:app:web]

[serverClass:proxies]
whitelist.0=host2.us-west-1.compute.amazonaws.com
[serverClass:proxies:app:proxy]

I believe I have created the match and the destination for where the forwarder picks up it app from: /$SPLUNK_HOME/etc/deployment-apps/webservers

The app directory should now contain the configuration files i need to ingest the required logfiles and forward them to the correct index i.e. inputs.conf and outputs.conf

If all I need the forwarder to do is to ingest some specific log files and have them forwarded to the a specific index, I only require an inputs.conf and outputs.conf file in this app directory.

ie. I have created: /$SPLUNK_HOME/etc/deployment-apps/webservers/inputs.conf

[monitor://opt/log/www1]
sourcetype = apache
index = web
[monitor://opt/log/www2]
sourcetype = apache
index = web
[monitor://opt/log/www3]
sourcetype = apache
index = web

And

outputs.conf

[tcpout:group1]
index1.us-west-1.compute.amazonaws.com:9997,index2.compute.amazonaws.com:9997

I have reloaded my deployment server and clients, now I see the following when i run ./splunk list deploy-clients:

Deployment client: ip=10.171.2.174, dns=forwarder1, hostname=ip-10-171-2-174, mgmt=8089, build=128297, name=78A0ADBD-7476-4C9D-9ABF-66BEB98670D6, id=connection_10.171.2.174_8089_ip-10-171-2-174.us-west-1.compute.internal_ip-10-171-2-174_78A0ADBD-7476-4C9D-9ABF-66BEB98670D6, utsname=linux-x86_64
utsname: linux-x86_64
name: 78A0ADBD-7476-4C9D-9ABF-66BEB98670D6
ip: 10.171.2.174
hostname: ip-10-171-2-174
build: 128297
dns: ip-10-171-2-174.us-west-1.compute.internal
mgmt: 8089
phoneHomeTime: Sat Aug 25 07:59:33 2012
id: connection_10.171.2.174_8089_ip-10-171-2-174.us-west-1.compute.internal_ip-10-171-2-174_78A0ADBD-7476-4C9D-9ABF-66BEB98670D6

When I check the/opt/splunkforwarder/etc/system/local/inputs.conf file on the forwarder, it appears not to have changed at all. Shouldn't it have updated with the new inputs.conf configuration from the deployment server?

BobM · ‎08-25-2012

Looking at your config, you have defined the app to be deployed as "web" but your config is in a folder called "webservers"

Rename the folder or change the serverclass.conf to be

[serverClass:webservers] 
whitelist.0=host1.us-west-1.compute.amazonaws.com 
[serverClass:webservers:app:webservers]

View solution in original post

jgedeon120 · ‎08-25-2012

Besides what BobM pointed out, the created App will not be put in /opt/splunkforwarder/etc/system/local/ it will be put in /opt/splunkforwarder/etc/app/. Second, you do notice/know that your whitelist.0 is not matching anything being found from the forwarder connecting to your deployment server?

BobM · ‎08-25-2012

Looking at your config, you have defined the app to be deployed as "web" but your config is in a folder called "webservers"

Rename the folder or change the serverclass.conf to be

[serverClass:webservers] 
whitelist.0=host1.us-west-1.compute.amazonaws.com 
[serverClass:webservers:app:webservers]

edchow · ‎08-25-2012

Thanks for that, got a bit confused with folder names and app names.

Thanks Bobm.

The whitelist was OK, sorry I edited it to avoid publishing too much information.

deployment question regarding apps

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Tech Talk | One Log to Rule Them All