Getting Data In

How to edit local a universal forwarder configuration that was pushed via deployment server?

Path Finder

I use my deployment server to deploy the Splunk Add-on for Microsoft Windows to Universal Forwarders.

Splunk_TA_windows/
├── default
│   └── inputs.conf #unchanged defaults
├── local
│   └── inputs.conf #edited

I enabled the Security log in local/inputs.conf, like:

[WinEventLog://Security]
disabled = 0

Everything works great. However, I have one user that wants to enable a few things. Let's say that he wants to:

[WinEventLog://Application]
disabled = 0

Where would he make that change? Wouldn't the deployment server overwrite Splunk_TA_windows/local/inputs.conf if he made the change there?

0 Karma

Motivator

Not sure I'm following all of your app/local/ stuff. The reason I say that is you will need to become familiar with is the order of precedence for Splunk components. When the agent first starts up it will read through the $SPLUNK_HOME/etc/system/default directory, move up to $SPLUNK_HOME/etc/apps/default, move to $SPLUNK_HOME/etc/apps/local, then back to $SPLUNK_HOME/etc/system/local. In the case of competing configs the last one read in wins. If a user makes a change in /etc/system/local there is nothing you can push from your deployment server that will override the setting - short of a script that makes a change to /etc/system/local.

The local Windows TA installed on the UFs should be in the /etc/apps folder so I'd push a package starting with 00 to make it 'win' over what is there now if you want to control changes the user makes. The app name doesn't have to match you just need a matching monitor statement name. Hope that helps.

Explorer

You can do it locally under /etc/system/local/inputs.conf. This won't be overridden. This is assuming you haven't defined it in the TA's inputs.conf (the one you're pushing out) as disabled.

0 Karma

Path Finder

If I enabled in system/local with:

[WinEventLog://Security]
disabled = 0

Would the configs in Splunk_TA_windows/default/inputs.conf be applied?

[WinEventLog://Application]
disabled = 1-> 0
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=false

Or will he have to copy/paste all that into system/local?

0 Karma

Communicator

Those are two entirely different stanzas so they do not impact each other. Adding a new stanza to etc/system/local will only modify pre-existing stanzas if the stanzas are the same.

For example if you added a stanza like

[WinEventLog://Security]
disabled = 1

to etc/system/local this would override your deployment client's inputs.conf and effectively disable the collection on that box.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!