Getting Data In

How to automate Splunk forwarder configurations for server.conf?

fd26645
Path Finder

I'm trying to write a script to change the local/server.conf settings in a large number of splunkforwarders. Mainly I am trying to disable SSL settings so that they stop showing up in security scans.

I am finding this to be extremely challenging. I am getting a lot of sed errors due to the sslKeysfilePassword containing special characters. I want to change/add settings but if a setting doesn't exist I need to insert it in the correct section.

I can't help but think there must be a better way to manage this. I have a large number of splunkforwarders and editing server.conf manually on each one is going to be a huge chore. I have heard mention of the deployment manager or something like that but also have read that it doesn't manage the server.conf file.

--Edit--
If there were a splunk CLI command that would change the specific settings that would solve my problem also I don't think it exists unfortuantly. Like splunk configure set allowSslCompression = false That way I could easily change the setting I want to change without having to worry about the format of the config file.

0 Karma
1 Solution

fd26645
Path Finder

Scripting the configuration of the server.conf file becomes much simpler when you set sslKeysfilePassword = password

Then you can just use a heredoc to set the file the way you want it.

View solution in original post

0 Karma

fd26645
Path Finder

Scripting the configuration of the server.conf file becomes much simpler when you set sslKeysfilePassword = password

Then you can just use a heredoc to set the file the way you want it.

0 Karma

masonmorales
Influencer

I would recommend setting up a deployment server and configuring your universal forwarders as deployment clients. You can use the deployment server to update the server.conf files on every forwarder (or set of forwarders), along with every other configuration file on the forwarders, all without ever having to login to the forwarders.

Here are some resources to get your started:
About deployment server and forwarder management
Wiki: Deployment Server
Configure deployment clients
Plan a deployment

0 Karma

fd26645
Path Finder

From what I have read so far the deployment server will only manage apps located under $SPLUNK_HOME/etc/apps. But the server.conf file is located under $SPLUNK_HOME/etc/system/local.

0 Karma

musskopf
Builder

Wouldn't be better to instead of editing the file, simply replace with a new version? Or at least a couple of standard versions of this file?

If you have that big number of server, an orchestration tool might help as well 😉

0 Karma

fd26645
Path Finder

If I replace with a new file I need to preserve the hostname and the ssl key password and that is difficult to do via script. the ssl password in particular contains special characters that need to be escaped for use with sed. Since the key is different for each forwarder I can't be sure which characters will need to be escaped and the sed command fails.

0 Karma

satishsdange
Builder

Did you try deployment server? You can use that for pushing/edit configurations.

0 Karma

fd26645
Path Finder

From what I have read so far the deployment server will only manage apps located under $SPLUNK_HOME/etc/apps. But the server.conf file is located under $SPLUNK_HOME/etc/system/local.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...