I was trying to edit outputs.conf for universal forwarder, but when i was searching for outputs.conf file in
i can see only README
does it means i need to change outputs.conf in deployment server ? if i need to change it in deployment server do i need change in an app ? if so what is the exact path that i can edit outputs.conf for the forwarder in deployment server please.
Hi @raghu0463 ,
If you are unable to find, outputs.conf in system\local, then it might happen, while installing Universal Forwarder you have not mentioned Indexer's IP, when it pop-up for that.
You can edit outputs.conf @ /opt/splunk/etc/deployment-apps//local/outputs.conf. Remember this will be for the app, if you want for system, then you can create outputs.conf in universal forwarder and give indexer's IP with port. Hence \etc\system* does not sync with Deploymentclient
It is easy to identify if the forwarder connected to the Deployment server or not. follow the below steps, assuming you have the deployment server configured in your environment.
1. You did see deploymentclient.conf under system/local on the forwarder, Do you see the forwarder pointed to the right deployment server? another place to check for the deploymentclient.conf is $SPLUNK_HOME/etc/apps on the forwarder
2. Grab the IP or the hostname of the forwarder, login to the deployment server UI->settings->forwarder management->under clients tab-> try to search for the IP or the hostname of the forwarder
3. If you don't see the expected details from the above steps, first you need to fix the connectivity between the deployment server and the forwarder
4. If you have the deployment server in the environment, best practice is to always deploy the configurations from the deployment server. Place to edit the configurations on the deployment server is $SPLUNK_HOME/etc/deployment-apps. Edit or create your outputs.conf in an app under deployment-apps and configure the server classes appropriately.
5. Now run the command "$SPLUNK_HOME/bin/splunk reload deploy-server" on the deployment server and you should see the configurations deployed under $SPLUNK_HOME/etc/apps on the forwarders
is this a production system or some testing systems?
on production systems, you should be having an app/or some procedure already for outputs.conf.
guessing this as a recent fresh UF installation, maybe, you need to add this UF to a server classs, so that the app's related to the server class will be deployed this UF. please provide some more details.
the best way to manage outputs.conf of forwarders using a Deployment Server is to create a dedicated TA containing your outputs.conf and deploy it to all Forwarders using Deployment Server.
Remember to delete outputs.conf from $SPLUNK_HOME/etc/system/local because files in this folder are out of Deployment Server Management.
If a UF is under deployment server control then never ever edit config files on the universal forwarder directly. Always go through the deployment server.
By default, you'll find the deployment apps on the deployment server in
/opt/splunk/etc/deployment-apps. Check the serverclasses for that particular forwarder to get the list of apps it receives, and check those apps for an outputs.conf.
You can run this on the CLI of the forwarder:
splunk show deploy-server, or
splunk btool --debug deploymentclient list, or look at all deploymentclient.conf files (start with etc/system/local).
I'm sorry actually I asked the question in bit different way, I was trying to find outputs.conf in the server where forwarder is installed in the path etc/system/local but I could see only these files
and I'm bit confused whether this forwarder is connected to a deployment server or not, is there any way that I can find this forwarder is connected to deployment server, so that I can directly go to deployment server and edit the outputs.conf of this forwarder.
It is easy to test if that forwarder connected to the deployment server already or not. Follow these steps, assuming you did configured the deployment server in your environment.