Getting Data In

Can I configure the output.conf file via app deployment to enable encryption of traffic from universal forwarders to indexer?

snix
Communicator

I am trying to enable encryption of the traffic from all of my universal forwarders to the indexer. Looks like this involves updating the output.conf file on the forwarder (makes sense). No big deal but the only way I have ever configured that file is via our software deployment solution when I go to install the forwarder on a given machine. After that I never touch the file.

I can use the same solution to do a simple copy and replace to each system, but was wondering if this can be done via the app deployment system built into Splunk, the same way I would configure any other config file in any deployed app?

I could see why you would not want to do that through the deployment solution in case you mess up a config file and all your forwarders lose their ability to communicate back to the indexer after it updates. But, if you could do it then I just assume it might be as simple as creating a deployment app called something like "SplunkUniversalForwarder" and then dumping the config file in the local folder and it would take precedence over the local $SPLUNK_HOME/etc/system/local/outputs.conf file on the given forwarder.

Would that work?

0 Karma
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...