Getting Data In

How do I configure the Deployment Server to have a Universal Forwarder send logs to a specific index?

nmensah
Explorer

Hello everyone,

I have in theory a very simple question. Hopefully this is as simple as I think it is. I have a deployment server and a Universal Forwarder (UF). I also have an indexer and search head. My question is, how do I configure my deployment server to have the UF forward all logs to a certain index? I have the server class and "apps" folder set up but do I drop a config file in there or what? I can't find any good documentation. Thank you so much!

1 Solution

hgrow
Communicator

Hi nmensah,

do you want configure to wich indexer (Server) the UF sends logs to or do you want the specifiy in wich index all logs are going?
The index your data goes in is already definied by the input itself (inputs.conf).
To manage the "send to an indexer" configuration read below:

http://docs.splunk.com/Documentation/Forwarder/6.5.0/Forwarder/HowtoforwarddatatoSplunkEnterprise covers most points.

Basicly you will deploy an app "send_to_my_indexer" via deployment server to your forwarder wich tells your UF to send logs to your indexer:

  1. Configure UF to be managed by your deployment server
  2. Set up the "send_to_my_indexer" on your deplyoment server
  3. deploy and your are good to go

1) Should cover everything http://docs.splunk.com/Documentation/Splunk/6.5.0/Updating/Configuredeploymentclients
2) To send all your data form your UF to your index a outputs.conf must be deployed:

[tcpout]
disabled = false
defaultGroup=yourIndexerGroup

[tcpout:yourIndexerGroup]
server=IndexerAdress:ReceivingPort

So just all you need is an app "send_to_my_indexer" under SPLUNK_HOME/etc/deployment-apps wich cointains the outputs.conf file.

3) If not already covered by the link above http://docs.splunk.com/Documentation/Splunk/6.5.0/Updating/Updateconfigurations might help

Greetings hgrow

View solution in original post

nmensah
Explorer

Thank you everyone! It worked out perfectly! I used this document to create the app that would allow the deployment server to tell the Forwarder which data to collect and which index to send it to: http://docs.splunk.com/Documentation/Splunk/6.5.0/Updating/Extendedexampledeployseveralstandardforwa...

gcusello
SplunkTrust
SplunkTrust

Hi nmensah,
Splunk's Best Practices suggest to build a Technology Add-On (TA), called for example TA_Forwarders, in which put only outputs.conf and deploy it to all you forwarders.
In this TA you insert an outputs.conf file with all the information mandatory to send logs to indexers:

[tcpout]
defaultGroup = autolb

[tcpout:autolb]
server = xx.xx.xx.xx:9997, yy.yy.yy.yy:9997
disabled = false

[tcpout-server://xx.xx.xx.xx:9997]

[[tcpout-server://yy.yy.yy.yy:9997]

if you want to use SSL, you have to insert also

sslCertPath = $SPLUNK_HOME/etc/auth/server.pem
sslPassword = xxxxxxxxxxxxxxxxxxxxx
sslRootCAPath = $SPLUNK_HOME/etc/auth/cacert.pem
sslVerifyServerCert = false
useACK=true

So steps to do this are:

  • create your TA_Forwarders modifying outputs.conf;
  • copy it on your Deployment server ($SPLUNK_HOME/etc/deployment-apps);
  • deploy;
  • if you already have an outputs.conf in your Forwarder, delete (or rename) it;
  • restart Splunk.

Bye.
Giuseppe

hgrow
Communicator

Hi nmensah,

do you want configure to wich indexer (Server) the UF sends logs to or do you want the specifiy in wich index all logs are going?
The index your data goes in is already definied by the input itself (inputs.conf).
To manage the "send to an indexer" configuration read below:

http://docs.splunk.com/Documentation/Forwarder/6.5.0/Forwarder/HowtoforwarddatatoSplunkEnterprise covers most points.

Basicly you will deploy an app "send_to_my_indexer" via deployment server to your forwarder wich tells your UF to send logs to your indexer:

  1. Configure UF to be managed by your deployment server
  2. Set up the "send_to_my_indexer" on your deplyoment server
  3. deploy and your are good to go

1) Should cover everything http://docs.splunk.com/Documentation/Splunk/6.5.0/Updating/Configuredeploymentclients
2) To send all your data form your UF to your index a outputs.conf must be deployed:

[tcpout]
disabled = false
defaultGroup=yourIndexerGroup

[tcpout:yourIndexerGroup]
server=IndexerAdress:ReceivingPort

So just all you need is an app "send_to_my_indexer" under SPLUNK_HOME/etc/deployment-apps wich cointains the outputs.conf file.

3) If not already covered by the link above http://docs.splunk.com/Documentation/Splunk/6.5.0/Updating/Updateconfigurations might help

Greetings hgrow

hgrow
Communicator

Hi nmensah,

good news, you dont have to restart the forwarder every time manually! If the UF sees a diff with the installed version of an app or a new app exists on the DS the UF downloads the app and restart automatically. All you need to do is splunk reload deploy-server

http://docs.splunk.com/Documentation/Splunk/6.3.1/Updating/Updateconfigurations#Redeploy_an_app_afte...

Redeploy an app after you change its content
When you update the content of an app, you must reload the deployment server in order for the deployment server to redeploy the app.
Note: If you are using forwarder management, you must also manually reload the deployment server if you want to redeploy the app immediately. However, if do not manually reload the deployment server, the app will still get redeployed once you make any subsequent configuration changes in forwarder management.
To redeploy an app with updated content:
1. Update the content in the relevant deployment app directory on the deployment server.
2. Reload the deployment server to make the deployment server aware of the changed content.
The deployment server then redeploys the app to all clients that it's mapped to.
1. Update the content
The topic "Create deployment apps" described how to create app directories on the deployment server. You can add or overwrite the content in those directories at any time.
2. Reload the deployment server
After you edit the content of an app, you must reload the deployment server so that the deployment server learns of the changed app. It then redeploys the app to the mapped set of clients.
To reload the deployment server, use the CLI reload deploy-server command:
splunk reload deploy-server
The command checks all apps for changes and notifies the relevant clients.

Greetings

0 Karma

nmensah
Explorer

Thank you everyone very much for the help. This worked great. One issue though. When configure the deployment server app and the forwarder receives the configurations, how long does it take for the configuration to go into effect on the forwarder? Do I need to manually restart the forwarder every time?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...