I need to make all universal forwarders to send with its own IP address to the server.
I have a deployment server in place.
Is there any way we can configure the file in each client centrally?
The one I know that in each client, I can add the below line in the input.conf under $HOME/etc/system/local
but is there any way I can apply this through the deploy server ? or any other ways that can send its own source IP to the server?
There's no easy way to edit system/local using the deployment server. You will have to manually delete the inputs.conf and outputs.conf files from system/local and point your forwarder to your deployment server (by editing the deploymentclient.conf file) and restarting Splunk.
From there, you can edit the serverclass.conf file on your deployment server (which will store all of the names of your servers which has forwarders on them.)
Then you can create a simple app in etc/deployment-apps consisting of an inputs.conf and outputs.conf file (similar to what you already had on your forwarder, but you will be able to control this remotely without messing around with the forwarder).
To make sure the forwarder uses IP address, use connection_host=IP as an option for your [WinEventLog:Security] stanza in the inputs.conf file in your app.
Once the app has been created, you will use the "splunk reload deploy-server" command to send the app to your forwarder.
thanks very much for your comments!!
To manually delete the inputs.conf and outputs.conf files from system/local means that I should log in to 500 clients and delete them indivisually?? or any other easier ways?
What operating system are your forwarders running on? Do you have an automated way of installing the forwarders? i.e. how did you install on 500 servers in the first place?
both 2003 and 2008.......I need to check with my colleague how they deployed the all forwarders in the first place...but let's suppose two ways that we both have a tool for the automation and we don't have it....any difference?
OK. If you have an automated way (we use blade logic), you can set up a job to remove the inputs.conf and outputs.conf files from your forwarders and add a deploymentclient.conf file with the details of your deployment server (see splunk docs), then trigger a restart. If you don't have an automated way to do this, you will have to do the same thing manually... 😞