Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Prevent local install of app in universal forwarders

sf_user_199
Path Finder
‎12-27-2011 01:50 PM

Currently, apps on our universal forwarders are controlled by the deployment server, and the forwarder RPM & deploymentClient.conf are installed by Puppet. Even with this setup, you can still put an app in the local forwarder's app directory, and the forwarder will run it.

What can I do to only allow apps from the universal forwarder to run?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎12-27-2011 08:27 PM

Pretty much you would have to do it like you'd protect any other application (or the OS itself) on the remote machine: set up user and file system (and other) permissions to prevent modification of the application. This may mean installing and running Splunk as a a special user.

I do note that using puppet, you can fairly easily ensure that the $SPLUNK_HOME/etc/apps (and in fact the entire etc folder) does not get modified, and that if it does, puppet brings it back into sync.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎12-27-2011 08:27 PM

Pretty much you would have to do it like you'd protect any other application (or the OS itself) on the remote machine: set up user and file system (and other) permissions to prevent modification of the application. This may mean installing and running Splunk as a a special user.

I do note that using puppet, you can fairly easily ensure that the $SPLUNK_HOME/etc/apps (and in fact the entire etc folder) does not get modified, and that if it does, puppet brings it back into sync.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...