Deployment Architecture

deploymentclient.conf getting overwritten

osasfrancis
Path Finder

We are in the process of migrating a lot of hosts to report to a new deployment server. The deploymentclient.conf file was changed to reflect the IP address of the new deployment server and the hosts phones home to the new new deployment server and we verify logs coming in. Then after some time, something modifies the deploymentclient.conf file to have the hosts report back to the old deployment server. We cannot seem to figure out what is making this change. We have uninstalled and reinstalled the universal forwarder on a test client this past week and everything was fine. Then the same thing happened yesterday and the host is reporting back to the old deployment server. This is happening on some hosts, not all. The ones that do not have this problem are reporting to the same new deployment server with no problems.

Any suggestions would be helpful

Labels (1)
0 Karma
1 Solution

osasfrancis
Path Finder

We figured out the issue. Seems there was a script that was replacing the file.  

Thanks for all your responses.

View solution in original post

osasfrancis
Path Finder

We do not use a third party app. Also, there is only 1 deploymentclient.conf file that is getting deployed. It is the same file that was de[p

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Do you have a third-party tool like Ansible or BigFix that might be restoring the file to what it thinks it should be?

Do you have multiple deploymentclient.conf files in different apps in your DS?  If so, make sure they're all updated with the new DS's address.  Better yet, refactor the apps so you have only one deploymentclient.conf file.

---
If this reply helps you, Karma would be appreciated.

burwell
SplunkTrust
SplunkTrust

Suggestion: use btool to find out exactly which deploymentclient.conf is getting overwritten.

 

# /opt/splunkforwarder/bin/splunk btool deploymentclient list --debug

/opt/splunkforwarder/etc/apps/myapp/default/deploymentclient.conf [deployment-client]
/opt/splunkforwarder/etc/system/local/deploymentclient.conf                              clientName = my_fwdr
/opt/splunkforwarder/etc/apps/myapp/default/deploymentclient.conf phoneHomeIntervalInSecs = 500
/opt/splunkforwarder/etc/system/local/deploymentclient.conf                              [target-broker:deploymentServer]
/opt/splunkforwarder/etc/system/local/deploymentclient.conf                              targetUri = mydeploymentserver.mycompany.com:1234
0 Karma

osasfrancis
Path Finder

We figured out the issue. Seems there was a script that was replacing the file.  

Thanks for all your responses.

Ram
Engager

Hi,
what was the script name? was it your custom script or some splunk default script.

0 Karma

osasfrancis
Path Finder

It was a custom script.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...