Getting Data In

Install Windows Deployment Client WITHOUT DEPLOYMENT_SERVER flag. Can it work??

mfeeny1
Path Finder

Hi. I've been struggling with this for a more days than I'd care to admit. I'm HOPING someone can advise... (EnableBegging=True 🙂

GOAL: Install Universal Forwarder on Windows as a Deployment Client, via the CLI ("msiexec.exe /i ..."), such that deploymentclient.conf is NOT in "etc\system\local".

WHY: With deploymentclient.conf in "etc\system\local", it is impossible for the Deployment Server to change or override that configuration, in the event that, at some later date, we want to change the Deployment Server. In that scenario, we would have to touch every Deployment Client manually.

RESULTS FROM TESTING: If I include the DEPLOYMENT_SERVER flag in the CLI msiexec command, a deploymentclient.conf file is created, and placed in "etc\system\local". This actually "works", in that the DeploymentClient finds the Deployment Server, gets its config files, and begins eating log files and forwarding them to the Indexers - just like clockwork!. But, as explained above, it has the undesirable effect of placing deploymentclient.conf in a place where no DS-deployed apps can override it.

Conversely, if I OMIT the DEPLOYMENT_SERVER flag from the CLI msiexec command, NO deploymentclient.conf file is created in "etc\system\local" -- or anywhere else, for that matter. So far, so good (I thought!).

So, I next manually place deploymentclient.conf where I want it (in an "apps" directory), where it could be overridden at some later date. The problem is: I CAN'T GET THE DEPLOYMENT CLIENT TO FIND AND/OR USE deploymentclient.conf. I have done a "splunk restart", and I have Started the SplunkForwarder service (many, many times), but the Deployment Client never tries to contact the Deployment Server (packet captures confirm that it never sends a single packet to the DS).

It seems that, once the Universal Forwarder is installed WITHOUT the DEPLOYMENT_SERVER flag, it will never learn how to contact the Deployment Server, and will never become a Deployment Client.

As further indication of this last statement, I tried one other test. I installed the Universal Forwarder, WITHOUT the DEPLOYMENTSERVER flag, and then I placed deploymentclient.conf in "etc\system\local". STILL, after issuing splunkd restarts, and restarting the service, the Universal Forwarder does not try to contact the Deployment Server, even though deploymentclient.conf is in the very place where it lands when things "work" (when I do use the DEPLOYMENT_SERVER flag).

And... One final, additional piece of evidence... When I install WITHOUT the DEPLOYMENTSERVER flag, splunkd.log contains the below message, that may be the key to explaining this behavior:

WARN DeploymentClient - Property targetUri not found. DeploymentClient is disabled.

So, it seems that, if no Deployment Server is defined at install time, then Deployment Client functionality is disabled.

So... Either what I'm trying to do is not possible, OR... I need to learn how to "enable" DeploymentClient after the install.

Thanx for listening - I know it took a while! I will entertain all suggestions, questions or explanations.

mfeeny1

afret2007
Path Finder

This is old but in case someone else has your question then I may have the solution. Install it like you normally would. Create an app called something like mydeployment on you r Deployment Server Under the app folder, create a local directory folder. In that folder copy your deploymentclient.conf file into. Restart deployment server so it deploys out to all the servers in your server classes. ANY CHANGES MADE TO APP deploymentclient.conf WILL override the etc\system\local\deploymentclient.conf. I have done this myself to change the clientname on all my forwarders using clientname = $HOSTNAME under the deployment-client stanza. Apps will override etc\system\local configurations if the app configurations are in a local directory folder as well. App configurations will not override if they have been placed in a default directory folder.

afret2007

0 Karma

jsb22
Path Finder

You could try to do what our site did. We put a DNS alias entry on our DNS servers so the IP of the server mapped to 'splunk' and specified 'splunk' as the targetURI. If you ever change which server is the deployment server, you just have to update which IP the alias in DNS points to.

dmaislin_splunk
Splunk Employee
Splunk Employee

Just run a command at $SPLUNK_HOME/splunk set deploy-poll splunk.hostname.com:8089 -auth admin:changeme and restart the forwarder.

cyberbob
Engager

This helped me with my similar problem. 🙂 Thanks!

0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee

Nevermind this. I misread.

0 Karma

mfeeny1
Path Finder

UPDATE: I thought I had the answer. After more thinking and reading, I decided I could get this to work if I used the LAUNCHSPLUNK=0 switch during the install, then placed deploymentclient.conf, and then did a splunk start.

NOPE. This didn't work either - even if I put deploymentclient.conf in etc/system/local.

I still get the following message when I start splunk:

WARN DeploymentClient - Property targetUri not found. DeploymentClient is disabled.

And, still, no attempts are made to contact the Deployment Server (and, issuing ./splunk list deploy-clients on the Deployment Server shows my target is STILL not a Deployment Client).

I tried one more diagnostic step: btool. If I issue the following command, on the Deployment Client...

splunk cmd btool deploymentclient list

...btool finds the Deployment Server configuration info, as follows:

[target-broker:deploymentServer]

targetUri = "Deployment-Server-URI":9996

...but, again, the Deployment Client will not use this info to phone home.

Unless I get some enlightenment from one of you listeners, my next step will be to submit a case.

Thx,
mfeeny1

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...