Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How to automate Splunk forwarder configuration...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
fd26645
Path Finder
03-24-2015
04:46 PM
I'm trying to write a script to change the local/server.conf settings in a large number of splunkforwarders. Mainly I am trying to disable SSL settings so that they stop showing up in security scans.
I am finding this to be extremely challenging. I am getting a lot of sed errors due to the sslKeysfilePassword containing special characters. I want to change/add settings but if a setting doesn't exist I need to insert it in the correct section.
I can't help but think there must be a better way to manage this. I have a large number of splunkforwarders and editing server.conf manually on each one is going to be a huge chore. I have heard mention of the deployment manager or something like that but also have read that it doesn't manage the server.conf file.
--Edit--
If there were a splunk CLI command that would change the specific settings that would solve my problem also I don't think it exists unfortuantly. Like splunk configure set allowSslCompression = false That way I could easily change the setting I want to change without having to worry about the format of the config file.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
fd26645
Path Finder
03-31-2015
04:52 PM
Scripting the configuration of the server.conf file becomes much simpler when you set sslKeysfilePassword = password
Then you can just use a heredoc to set the file the way you want it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
fd26645
Path Finder
03-31-2015
04:52 PM
Scripting the configuration of the server.conf file becomes much simpler when you set sslKeysfilePassword = password
Then you can just use a heredoc to set the file the way you want it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
masonmorales
Influencer
03-25-2015
06:55 AM
I would recommend setting up a deployment server and configuring your universal forwarders as deployment clients. You can use the deployment server to update the server.conf files on every forwarder (or set of forwarders), along with every other configuration file on the forwarders, all without ever having to login to the forwarders.
Here are some resources to get your started:
About deployment server and forwarder management
Wiki: Deployment Server
Configure deployment clients
Plan a deployment
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
fd26645
Path Finder
03-25-2015
12:00 PM
From what I have read so far the deployment server will only manage apps located under $SPLUNK_HOME/etc/apps. But the server.conf file is located under $SPLUNK_HOME/etc/system/local.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
musskopf
Builder
03-24-2015
06:28 PM
Wouldn't be better to instead of editing the file, simply replace with a new version? Or at least a couple of standard versions of this file?
If you have that big number of server, an orchestration tool might help as well 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
fd26645
Path Finder
03-25-2015
12:00 PM
If I replace with a new file I need to preserve the hostname and the ssl key password and that is difficult to do via script. the ssl password in particular contains special characters that need to be escaped for use with sed. Since the key is different for each forwarder I can't be sure which characters will need to be escaped and the sed command fails.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
satishsdange
Builder
03-25-2015
12:52 AM
Did you try deployment server? You can use that for pushing/edit configurations.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
fd26645
Path Finder
03-25-2015
12:02 PM
From what I have read so far the deployment server will only manage apps located under $SPLUNK_HOME/etc/apps. But the server.conf file is located under $SPLUNK_HOME/etc/system/local.
Get Updates on the Splunk Community!
Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...
This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...
Elevate Your Organization with Splunk’s Next Platform Evolution
Thursday, July 10, 2025 | 11AM PDT / 2PM EDT
Whether you're managing complex deployments or looking to ...
Splunk Answers Content Calendar, June Edition
Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
