Getting Data In

Can I configure the output.conf file via app deployment to enable encryption of traffic from universal forwarders to indexer?


I am trying to enable encryption of the traffic from all of my universal forwarders to the indexer. Looks like this involves updating the output.conf file on the forwarder (makes sense). No big deal but the only way I have ever configured that file is via our software deployment solution when I go to install the forwarder on a given machine. After that I never touch the file.

I can use the same solution to do a simple copy and replace to each system, but was wondering if this can be done via the app deployment system built into Splunk, the same way I would configure any other config file in any deployed app?

I could see why you would not want to do that through the deployment solution in case you mess up a config file and all your forwarders lose their ability to communicate back to the indexer after it updates. But, if you could do it then I just assume it might be as simple as creating a deployment app called something like "SplunkUniversalForwarder" and then dumping the config file in the local folder and it would take precedence over the local $SPLUNK_HOME/etc/system/local/outputs.conf file on the given forwarder.

Would that work?

0 Karma
Get Updates on the Splunk Community!

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more with ITSI’s ...

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more! Faster Time to ValueManaging and ...

New Release | Splunk Enterprise 9.3

Admins and Analyst can benefit from:  Seamlessly route data to your local file system to save on storage ...

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...