I use my deployment server to deploy the Splunk Add-on for Microsoft Windows to Universal Forwarders.
Splunk_TA_windows/
├── default
│ └── inputs.conf #unchanged defaults
├── local
│ └── inputs.conf #edited
I enabled the Security log in local/inputs.conf, like:
[WinEventLog://Security]
disabled = 0
Everything works great. However, I have one user that wants to enable a few things. Let's say that he wants to:
[WinEventLog://Application]
disabled = 0
Where would he make that change? Wouldn't the deployment server overwrite Splunk_TA_windows/local/inputs.conf if he made the change there?
Not sure I'm following all of your app/local/ stuff. The reason I say that is you will need to become familiar with is the order of precedence for Splunk components. When the agent first starts up it will read through the $SPLUNK_HOME/etc/system/default directory, move up to $SPLUNK_HOME/etc/apps/default, move to $SPLUNK_HOME/etc/apps/local, then back to $SPLUNK_HOME/etc/system/local. In the case of competing configs the last one read in wins. If a user makes a change in /etc/system/local there is nothing you can push from your deployment server that will override the setting - short of a script that makes a change to /etc/system/local.
The local Windows TA installed on the UFs should be in the /etc/apps folder so I'd push a package starting with 00 to make it 'win' over what is there now if you want to control changes the user makes. The app name doesn't have to match you just need a matching monitor statement name. Hope that helps.
You can do it locally under /etc/system/local/inputs.conf. This won't be overridden. This is assuming you haven't defined it in the TA's inputs.conf (the one you're pushing out) as disabled.
If I enabled in system/local with:
[WinEventLog://Security]
disabled = 0
Would the configs in Splunk_TA_windows/default/inputs.conf be applied?
[WinEventLog://Application]
disabled = 1-> 0
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=false
Or will he have to copy/paste all that into system/local?
Those are two entirely different stanzas so they do not impact each other. Adding a new stanza to etc/system/local will only modify pre-existing stanzas if the stanzas are the same.
For example if you added a stanza like
[WinEventLog://Security]
disabled = 1
to etc/system/local this would override your deployment client's inputs.conf and effectively disable the collection on that box.