Solved: Deployment server for heavy forwarders best practi...

splunkreal

Hello, if you have specific app conf (like after configuring it using HF web gui for a specific site), is it still recommended to use deployment server as this requires to sync / copy HF app/local conf back to deployment server etc/deployment-apps/app/local to avoid any deletion when reloading deployment server/app update from DS?

I guess using DS is good for centralizing (same) configurations across HFs?

https://docs.splunk.com/Documentation/Splunk/9.3.0/Updating/Createdeploymentapps

"The only way to allow an instance to continue managing its own copy of such an app is to disable the instance's deployment client functionality. If an instance is no longer a client of a deployment server, the deployment server will no longer manage its apps."

Thanks.

* If this helps, please upvote or accept solution if it solved *

splunkreal

Solution from support :

"Yes, it is still recommended to use the Deployment Server for centralized management and consistency across Heavy Forwarders.

However, if local customizations are required, ensure those changes are synced back to the DS (etc/deployment-apps/<app_name>/local) to prevent overwrites.

Alternatively, use 'excludeFromUpdate' in serverclass.conf to protect specific files or directories.

For better scalability, avoid making direct changes on HFs and manage all configurations via the DS whenever possible."

* If this helps, please upvote or accept solution if it solved *

View solution in original post

PickleRick

It's a bit philosophical issue.

Firstly, there can be many things done on HFs. Some people run modular inputs on them, some have them just for receiving HEC, others have a "parsing layer" before sending data to indexers. So there are several different use cases.

As a rule of thumb it's best to use DS to distribute apps to forwarders regardless of what kind of forwarders they are. There are some caveats though.

Most importantly, many modular inputs require interactive configuration from webui. And those can create configuration items which might:

1) Hold sensitive data like authorization info for external services

2) Be encrypted in a way that is not transferable between forwarders.

So you might end up in a situation where you might not want to distribute a particular app and its settings centrally.

As for me, assuming you can do that (because either the above-stated points do not apply or are of no concern) I'd deploy an app like that on a testing rig, create configuration for a given input, capture the resulting conf files and add them to an app pushed from DS to the production environment.

splunkreal

Solution from support :

"Yes, it is still recommended to use the Deployment Server for centralized management and consistency across Heavy Forwarders.

However, if local customizations are required, ensure those changes are synced back to the DS (etc/deployment-apps/<app_name>/local) to prevent overwrites.

Alternatively, use 'excludeFromUpdate' in serverclass.conf to protect specific files or directories.

For better scalability, avoid making direct changes on HFs and manage all configurations via the DS whenever possible."

* If this helps, please upvote or accept solution if it solved *

Deployment server for heavy forwarders best practices

heavy forwarder

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience

Leverage Cisco Talos Threat Intelligence Across Splunk Security Products

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!