I have in theory a very simple question. Hopefully this is as simple as I think it is. I have a deployment server and a Universal Forwarder (UF). I also have an indexer and search head. My question is, how do I configure my deployment server to have the UF forward all logs to a certain index? I have the server class and "apps" folder set up but do I drop a config file in there or what? I can't find any good documentation. Thank you so much!
do you want configure to wich indexer (Server) the UF sends logs to or do you want the specifiy in wich index all logs are going?
The index your data goes in is already definied by the input itself (inputs.conf).
To manage the "send to an indexer" configuration read below:
Basicly you will deploy an app "sendtomy_indexer" via deployment server to your forwarder wich tells your UF to send logs to your indexer:
1) Should cover everything http://docs.splunk.com/Documentation/Splunk/6.5.0/Updating/Configuredeploymentclients
2) To send all your data form your UF to your index a outputs.conf must be deployed:
[tcpout] disabled = false defaultGroup=yourIndexerGroup [tcpout:yourIndexerGroup] server=IndexerAdress:ReceivingPort
So just all you need is an app "sendtomyindexer" under SPLUNKHOME/etc/deployment-apps wich cointains the outputs.conf file.
3) If not already covered by the link above http://docs.splunk.com/Documentation/Splunk/6.5.0/Updating/Updateconfigurations might help
Thank you everyone very much for the help. This worked great. One issue though. When configure the deployment server app and the forwarder receives the configurations, how long does it take for the configuration to go into effect on the forwarder? Do I need to manually restart the forwarder every time?
good news, you dont have to restart the forwarder every time manually! If the UF sees a diff with the installed version of an app or a new app exists on the DS the UF downloads the app and restart automatically. All you need to do is
splunk reload deploy-server
Redeploy an app after you change its content
When you update the content of an app, you must reload the deployment server in order for the deployment server to redeploy the app.
Note: If you are using forwarder management, you must also manually reload the deployment server if you want to redeploy the app immediately. However, if do not manually reload the deployment server, the app will still get redeployed once you make any subsequent configuration changes in forwarder management.
To redeploy an app with updated content:
1. Update the content in the relevant deployment app directory on the deployment server.
2. Reload the deployment server to make the deployment server aware of the changed content.
The deployment server then redeploys the app to all clients that it's mapped to.
1. Update the content
The topic "Create deployment apps" described how to create app directories on the deployment server. You can add or overwrite the content in those directories at any time.
2. Reload the deployment server
After you edit the content of an app, you must reload the deployment server so that the deployment server learns of the changed app. It then redeploys the app to the mapped set of clients.
To reload the deployment server, use the CLI reload deploy-server command:
splunk reload deploy-server
The command checks all apps for changes and notifies the relevant clients.
Splunk's Best Practices suggest to build a Technology Add-On (TA), called for example TA_Forwarders, in which put only outputs.conf and deploy it to all you forwarders.
In this TA you insert an outputs.conf file with all the information mandatory to send logs to indexers:
[tcpout] defaultGroup = autolb [tcpout:autolb] server = xx.xx.xx.xx:9997, yy.yy.yy.yy:9997 disabled = false [tcpout-server://xx.xx.xx.xx:9997] [[tcpout-server://yy.yy.yy.yy:9997]
if you want to use SSL, you have to insert also
sslCertPath = $SPLUNK_HOME/etc/auth/server.pem sslPassword = xxxxxxxxxxxxxxxxxxxxx sslRootCAPath = $SPLUNK_HOME/etc/auth/cacert.pem sslVerifyServerCert = false useACK=true
So steps to do this are:
Thank you everyone! It worked out perfectly! I used this document to create the app that would allow the deployment server to tell the Forwarder which data to collect and which index to send it to: http://docs.splunk.com/Documentation/Splunk/6.5.0/Updating/Extendedexampledeployseveralstandardforwa...