First, if this is a repeat question, I apologize. I tried to ask this question a short time ago, but cannot find it anywhere.
The situation is this. I loaded the Splunk Windows Universal Forwarder, (6.3), on a Windows server and would like to update the conf files when needed using a Linux Deployment server also running 6.3. According to the documentation, if I would like to update the inputs.conf or outputs.conf files on the Forwarder, I need to create a directory on the deployment server called $SPLUNK_HOME/etc/deployment-apps/<some app name>/default/outputs.conf
and inputs.conf first. Then create server classes and add Forwarders.
My question is, is this correct? I was under the impression that changing any file in a "default" directory was frowned upon. Also, when I looked at the C:\Program Files\SplunkUniversalForwarder\etc\apps
directory on the Forwarder, looking for a mapping application, all I saw was the following;
introspection_generator_addon
learned
search
splunk_httpinput
Splunk_TA_windows
SplunkUniversalForwarder
The files I need to update are in the C:\Program Files\SplunkUniversalForwarder\etc\system\local
directory on the forwarder. I don't understand how that all maps.
What directory do I need to create in the "deployment-apps" directory on the Deployment server to map to the correct conf files I would like to update?
Thanks in advance.
Hi!
mtranchita answer is correct, the precedence is a very important factor to keep in mind when it comes to deploying apps centrally, since $SPLUNK_HOME\etc\system\local
cannot be touched by any deployment server.
Leave a deploymentclient.conf
in $SPLUNK_HOME\etc\system\local
this way you will guarantee that this forwarder will always call home.
A best practice for deploying apps and configurations is that you create an application, which is simply a bunch of .conf files within a folder, in this case the basic structure for a Universal Forwarder application would be (default and local)
So if you want to control your inputs and outputs centrally for that Universal Forwarder you could go this way:
Deployment Server
$SPLUNK_HOME/etc/deployment-apps/CFG-universalforwarder_base/default
inputs.conf
outputs.conf
If you want to target that Windows server for now, here's a way to do it:
$SPLUNK_HOME/etc/system/local/
serverclass.conf
[serverClass:windows]
filterType = whitelist
whitelist.0 = x.x.x.x (Windows server IP)
machineTypesFilter = windows-*
restartSplunkd = true
stateOnClient = enabled
[serverClass:windows:app:CFG-universalforwarder_base]
Let me know if you got stuck and need more help, I'd be happy to help!
/Santiago
Hi!
mtranchita answer is correct, the precedence is a very important factor to keep in mind when it comes to deploying apps centrally, since $SPLUNK_HOME\etc\system\local
cannot be touched by any deployment server.
Leave a deploymentclient.conf
in $SPLUNK_HOME\etc\system\local
this way you will guarantee that this forwarder will always call home.
A best practice for deploying apps and configurations is that you create an application, which is simply a bunch of .conf files within a folder, in this case the basic structure for a Universal Forwarder application would be (default and local)
So if you want to control your inputs and outputs centrally for that Universal Forwarder you could go this way:
Deployment Server
$SPLUNK_HOME/etc/deployment-apps/CFG-universalforwarder_base/default
inputs.conf
outputs.conf
If you want to target that Windows server for now, here's a way to do it:
$SPLUNK_HOME/etc/system/local/
serverclass.conf
[serverClass:windows]
filterType = whitelist
whitelist.0 = x.x.x.x (Windows server IP)
machineTypesFilter = windows-*
restartSplunkd = true
stateOnClient = enabled
[serverClass:windows:app:CFG-universalforwarder_base]
Let me know if you got stuck and need more help, I'd be happy to help!
/Santiago
Santiago,
Thanks for the direction but I'm having a little problem. I created a new directory on the Windows UF, "C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_UF_Config". I then moved the inputs.conf and outputs.conf files from the "C:\Program Files\SplunkUniversalForwarder\etc\system\local" directory to the new one. I then tried to start the forwarder and while monitoring the splunkd.log file, saw this ERROR;
10-19-2015 09:55:24.481 -0600 ERROR TcpOutputProc - LightWeightForwarder/UniversalForwarder not configured. Please configure outputs.conf.
I then moved everything back, and the service started with no errors.
Any ideas on what I'm doing wrong?
OK, I think I found my error. I simply created the
"C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_UF_Config"
directory, but did not create the "default" or "local" directories under that. I simply placed the "inputs.conf" and "outputs.conf" files under that main directory. But, after I created the "default" and "local" sub-directories, and put the "inputs.conf" and "output.conf" files in the
"C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_UF_Config\local"
directory, no errors.
Thanks for everyone's responses on this issue.
I believe your approach/understanding is largely correct however you are missing a couple of key concepts.
Over simplifying it, editing files in the default folders should only be done by the developer. Since you are pushing out the app to the UF you are the developer (yes, I'm using the term loosely). As such it is appropriate for you to put conf files in default folders.
You can push it out in local folders to if you want.
Which leads the the concept of precedence.
You will never be able to override configurations in system/local on a UF with a deployment server because it overrides everything else.
All of your managed configs should be pushed out in apps and never set in system/local.
Here is an excerpt from http://docs.splunk.com/Documentation/Splunk/latest/admin/Wheretofindtheconfigurationfiles
When the context is global (that is, where there's no app/user context), directory priority descends in this order: