Getting Data In

Customer wants to manage forwarders with deployment server but we need to insist the batch ingest directory is locked

moschlegel
New Member

I've read (https://docs.splunk.com/Documentation/Splunk/latest/Admin/Wheretofindtheconfigurationfiles) that the precedence
of a given copy of the inputs.conf is:
1. System local directory -- highest priority
2. App local directories
3. App default directories
4. System default directory -- lowest priority

The issue is we want to control the ingest directory for "batch:" mode to just one particular directory and even though we will have the deployment server activated, we don't want it to be able to add or change that directory. So for example if my $SPLUNK_HOME/etc/system/local/inputs.conf only contains this:

[batch:///path/to/directory/*.ext]
disabled = 0
recursive = false
move_policy = sinkhole

I do not want the admins on the deployment server to be able to do any of:
1) add another monitor or batch ingest from any other directory path than /path/to/directory/*.ext (which is set in the system local copy)
2) edit the system/local/inputs.conf batch: entry to a different path or make it a monitor (or edit it at all).

I was originally thinking that simply having a inputs.conf in $SPLUNK_HOME/etc/system/local/inputs.conf would be enough to lock this down but then this in the docs concerns me:

Splunk first uses the attributes from any copy of the file in system/local.
Then it looks for any copies of the file located in the app directories,
adding any attributes found in them, but ignoring attributes already
discovered in system/local. As a last resort, for any attributes not
explicitly assigned at either the system or app level, it assigns
default values from the file in the system/default directory.

What defines an "attribute"? Suppose an inputs.conf is added by the deployment server to SPLUNK_HOME/app/myapp/inputs.conf
containing

[batch:///path/to/some/other/directory/*.ext]
disabled = 0
recursive = false
move_policy = sinkhole

is that a different 'attribute' because the path is different? What I really want is for the SPLUNK_HOME/etc/system/local/inputs.conf to be the one and only place it can get ANY ingest directory to get files to go to the indexer. So is there a way to lock that down?

0 Karma

HiroshiSatoh
Champion

If the stanzas are the same, priority will be a problem.

The following stanzas are different.
[batch:///path/to/directory/.ext]
[batch:///path/to/some/other/directory/
.ext]

0 Karma