- Find Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- deploymentclient.conf getting overwritten
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are in the process of migrating a lot of hosts to report to a new deployment server. The deploymentclient.conf file was changed to reflect the IP address of the new deployment server and the hosts phones home to the new new deployment server and we verify logs coming in. Then after some time, something modifies the deploymentclient.conf file to have the hosts report back to the old deployment server. We cannot seem to figure out what is making this change. We have uninstalled and reinstalled the universal forwarder on a test client this past week and everything was fine. Then the same thing happened yesterday and the host is reporting back to the old deployment server. This is happening on some hosts, not all. The ones that do not have this problem are reporting to the same new deployment server with no problems.
Any suggestions would be helpful
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We figured out the issue. Seems there was a script that was replacing the file.
Thanks for all your responses.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We do not use a third party app. Also, there is only 1 deploymentclient.conf file that is getting deployed. It is the same file that was de[p
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have a third-party tool like Ansible or BigFix that might be restoring the file to what it thinks it should be?
Do you have multiple deploymentclient.conf files in different apps in your DS? If so, make sure they're all updated with the new DS's address. Better yet, refactor the apps so you have only one deploymentclient.conf file.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Suggestion: use btool to find out exactly which deploymentclient.conf is getting overwritten.
# /opt/splunkforwarder/bin/splunk btool deploymentclient list --debug
/opt/splunkforwarder/etc/apps/myapp/default/deploymentclient.conf [deployment-client]
/opt/splunkforwarder/etc/system/local/deploymentclient.conf clientName = my_fwdr
/opt/splunkforwarder/etc/apps/myapp/default/deploymentclient.conf phoneHomeIntervalInSecs = 500
/opt/splunkforwarder/etc/system/local/deploymentclient.conf [target-broker:deploymentServer]
/opt/splunkforwarder/etc/system/local/deploymentclient.conf targetUri = mydeploymentserver.mycompany.com:1234- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We figured out the issue. Seems there was a script that was replacing the file.
Thanks for all your responses.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
what was the script name? was it your custom script or some splunk default script.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It was a custom script.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
