Solved: Re: How to automate Splunk forwarder configuration...

fd26645 · ‎03-24-2015

I'm trying to write a script to change the local/server.conf settings in a large number of splunkforwarders. Mainly I am trying to disable SSL settings so that they stop showing up in security scans.

I am finding this to be extremely challenging. I am getting a lot of sed errors due to the sslKeysfilePassword containing special characters. I want to change/add settings but if a setting doesn't exist I need to insert it in the correct section.

I can't help but think there must be a better way to manage this. I have a large number of splunkforwarders and editing server.conf manually on each one is going to be a huge chore. I have heard mention of the deployment manager or something like that but also have read that it doesn't manage the server.conf file.

--Edit--
If there were a splunk CLI command that would change the specific settings that would solve my problem also I don't think it exists unfortuantly. Like splunk configure set allowSslCompression = false That way I could easily change the setting I want to change without having to worry about the format of the config file.

fd26645 · ‎03-31-2015

Scripting the configuration of the server.conf file becomes much simpler when you set sslKeysfilePassword = password

Then you can just use a heredoc to set the file the way you want it.

View solution in original post

fd26645 · ‎03-31-2015

Scripting the configuration of the server.conf file becomes much simpler when you set sslKeysfilePassword = password

Then you can just use a heredoc to set the file the way you want it.

masonmorales · ‎03-25-2015

I would recommend setting up a deployment server and configuring your universal forwarders as deployment clients. You can use the deployment server to update the server.conf files on every forwarder (or set of forwarders), along with every other configuration file on the forwarders, all without ever having to login to the forwarders.

Here are some resources to get your started:
About deployment server and forwarder management
Wiki: Deployment Server
Configure deployment clients
Plan a deployment

fd26645 · ‎03-25-2015

From what I have read so far the deployment server will only manage apps located under $SPLUNK_HOME/etc/apps. But the server.conf file is located under $SPLUNK_HOME/etc/system/local.

musskopf · ‎03-24-2015

Wouldn't be better to instead of editing the file, simply replace with a new version? Or at least a couple of standard versions of this file?

If you have that big number of server, an orchestration tool might help as well 😉

fd26645 · ‎03-25-2015

If I replace with a new file I need to preserve the hostname and the ssl key password and that is difficult to do via script. the ssl password in particular contains special characters that need to be escaped for use with sed. Since the key is different for each forwarder I can't be sure which characters will need to be escaped and the sed command fails.

satishsdange · ‎03-25-2015

Did you try deployment server? You can use that for pushing/edit configurations.

fd26645 · ‎03-25-2015

From what I have read so far the deployment server will only manage apps located under $SPLUNK_HOME/etc/apps. But the server.conf file is located under $SPLUNK_HOME/etc/system/local.

How to automate Splunk forwarder configurations for server.conf?

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...