The issue is we want to control the ingest directory for "batch:" mode to just one particular directory and even though we will have the deployment server activated, we don't want it to be able to add or change that directory. So for example if my $SPLUNK_HOME/etc/system/local/inputs.conf only contains this:
I do not want the admins on the deployment server to be able to do any of:
1) add another monitor or batch ingest from any other directory path than /path/to/directory/*.ext (which is set in the system local copy)
2) edit the system/local/inputs.conf batch: entry to a different path or make it a monitor (or edit it at all).
I was originally thinking that simply having a inputs.conf in $SPLUNK_HOME/etc/system/local/inputs.conf would be enough to lock this down but then this in the docs concerns me:
Splunk first uses the attributes from any copy of the file in system/local.
Then it looks for any copies of the file located in the app directories,
adding any attributes found in them, but ignoring attributes already
discovered in system/local. As a last resort, for any attributes not
explicitly assigned at either the system or app level, it assigns
default values from the file in the system/default directory.
What defines an "attribute"? Suppose an inputs.conf is added by the deployment server to SPLUNK_HOME/app/myapp/inputs.conf
is that a different 'attribute' because the path is different? What I really want is for the SPLUNK_HOME/etc/system/local/inputs.conf to be the one and only place it can get ANY ingest directory to get files to go to the indexer. So is there a way to lock that down?