Getting Data In

How to edit outputs.conf for universal forwarder in linux

Explorer

Hi,

I was trying to edit outputs.conf for universal forwarder, but when i was searching for outputs.conf file in

etc/system/local
i can see only README
inputs.conf
server.conf
deploymentclient.conf

does it means i need to change outputs.conf in deployment server ? if i need to change it in deployment server do i need change in an app ? if so what is the exact path that i can edit outputs.conf for the forwarder in deployment server please.

Thanks

0 Karma

Path Finder

Hi @raghu0463 ,

If you are unable to find, outputs.conf in system\local, then it might happen, while installing Universal Forwarder you have not mentioned Indexer's IP, when it pop-up for that.
You can edit outputs.conf @ /opt/splunk/etc/deployment-apps//local/outputs.conf. Remember this will be for the app, if you want for system, then you can create outputs.conf in universal forwarder and give indexer's IP with port. Hence \etc\system* does not sync with Deploymentclient

Bye,
Sarvesh
Keep Splunking

0 Karma

Path Finder

@raghu0463
plz upvote the comments are helpful 🙂

0 Karma

Communicator

raghu0463

It is easy to identify if the forwarder connected to the Deployment server or not. follow the below steps, assuming you have the deployment server configured in your environment.
1. You did see deploymentclient.conf under system/local on the forwarder, Do you see the forwarder pointed to the right deployment server? another place to check for the deploymentclient.conf is $SPLUNK_HOME/etc/apps on the forwarder
2. Grab the IP or the hostname of the forwarder, login to the deployment server UI->settings->forwarder management->under clients tab-> try to search for the IP or the hostname of the forwarder
3. If you don't see the expected details from the above steps, first you need to fix the connectivity between the deployment server and the forwarder
4. If you have the deployment server in the environment, best practice is to always deploy the configurations from the deployment server. Place to edit the configurations on the deployment server is $SPLUNK_HOME/etc/deployment-apps. Edit or create your outputs.conf in an app under deployment-apps and configure the server classes appropriately.
5. Now run the command "$SPLUNK_HOME/bin/splunk reload deploy-server" on the deployment server and you should see the configurations deployed under $SPLUNK_HOME/etc/apps on the forwarders

0 Karma

Super Champion

is this a production system or some testing systems?
on production systems, you should be having an app/or some procedure already for outputs.conf.
guessing this as a recent fresh UF installation, maybe, you need to add this UF to a server classs, so that the app's related to the server class will be deployed this UF. please provide some more details.

0 Karma

Ultra Champion

-- on production systems, you should be having an app/or some procedure already for outputs.conf.

No doubt.

0 Karma

Legend

Hi raghu0463,
the best way to manage outputs.conf of forwarders using a Deployment Server is to create a dedicated TA containing your outputs.conf and deploy it to all Forwarders using Deployment Server.
Remember to delete outputs.conf from $SPLUNK_HOME/etc/system/local because files in this folder are out of Deployment Server Management.
Bye.
Giuseppe

0 Karma

SplunkTrust
SplunkTrust

If a UF is under deployment server control then never ever edit config files on the universal forwarder directly. Always go through the deployment server.

By default, you'll find the deployment apps on the deployment server in /opt/splunk/etc/deployment-apps. Check the serverclasses for that particular forwarder to get the list of apps it receives, and check those apps for an outputs.conf.

0 Karma

SplunkTrust
SplunkTrust

You can run this on the CLI of the forwarder: splunk show deploy-server, or splunk btool --debug deploymentclient list, or look at all deploymentclient.conf files (start with etc/system/local).

0 Karma

Explorer

I'm sorry actually I asked the question in bit different way, I was trying to find outputs.conf in the server where forwarder is installed in the path etc/system/local but I could see only these files

README
inputs.conf
server.conf
deploymentclient.conf

and I'm bit confused whether this forwarder is connected to a deployment server or not, is there any way that I can find this forwarder is connected to deployment server, so that I can directly go to deployment server and edit the outputs.conf of this forwarder.

Thanks

0 Karma

Communicator

It is easy to test if that forwarder connected to the deployment server already or not. Follow these steps, assuming you did configured the deployment server in your environment.

  1. You did see deploymentclient.conf under system/local on the forwarder - what is in there? verify it is infact talking to the deployment server. If you don't see much details under system/local, then the next bet would be etc/apps - you might have an app for the deploymentclient.conf
  2. Grab the IP or the hostname of the forwarder and login to the deployment server->settings->forwarder management->under clients tab->search for the IP or the hostname of the UF - this will show up the details for the UF if it was talking to the Deployment server
  3. If you don't see the expected details in the above steps, you should probably fix the connectivity between the Deployment server and UF as the first step
  4. Once you have deployment server configured in your environment, it is a best practice you deploy all the configurations from there. Place to find/edit those configurations on the deployment server is $SPLUNK_HOME/etc/deployment-apps and make sure you have the right serverclass.conf configured.
  5. Edit the output.conf on the Deployment server ($SPLUNK_HOME/etc/deployment-apps) and then run the "reload" command and you should see configurations on the connected forwarders under $SPLUNK_HOME/etc/apps
0 Karma