Getting Data In

Can I configure the output.conf file via app deployment to enable encryption of traffic from universal forwarders to indexer?


I am trying to enable encryption of the traffic from all of my universal forwarders to the indexer. Looks like this involves updating the output.conf file on the forwarder (makes sense). No big deal but the only way I have ever configured that file is via our software deployment solution when I go to install the forwarder on a given machine. After that I never touch the file.

I can use the same solution to do a simple copy and replace to each system, but was wondering if this can be done via the app deployment system built into Splunk, the same way I would configure any other config file in any deployed app?

I could see why you would not want to do that through the deployment solution in case you mess up a config file and all your forwarders lose their ability to communicate back to the indexer after it updates. But, if you could do it then I just assume it might be as simple as creating a deployment app called something like "SplunkUniversalForwarder" and then dumping the config file in the local folder and it would take precedence over the local $SPLUNK_HOME/etc/system/local/outputs.conf file on the given forwarder.

Would that work?

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!