Getting Data In

What deployment-apps subdirectory do I need on a Linux Deployment Server to update inputs.conf and outputs.conf on a Windows Universal Forwarder?

OldManEd
Builder

First, if this is a repeat question, I apologize. I tried to ask this question a short time ago, but cannot find it anywhere.

The situation is this. I loaded the Splunk Windows Universal Forwarder, (6.3), on a Windows server and would like to update the conf files when needed using a Linux Deployment server also running 6.3. According to the documentation, if I would like to update the inputs.conf or outputs.conf files on the Forwarder, I need to create a directory on the deployment server called $SPLUNK_HOME/etc/deployment-apps/<some app name>/default/outputs.conf and inputs.conf first. Then create server classes and add Forwarders.

My question is, is this correct? I was under the impression that changing any file in a "default" directory was frowned upon. Also, when I looked at the C:\Program Files\SplunkUniversalForwarder\etc\apps directory on the Forwarder, looking for a mapping application, all I saw was the following;

introspection_generator_addon
learned
search
splunk_httpinput
Splunk_TA_windows
SplunkUniversalForwarder

The files I need to update are in the C:\Program Files\SplunkUniversalForwarder\etc\system\local directory on the forwarder. I don't understand how that all maps.

What directory do I need to create in the "deployment-apps" directory on the Deployment server to map to the correct conf files I would like to update?

Thanks in advance.

0 Karma
1 Solution

santiagoaloi
Path Finder

Hi!

mtranchita answer is correct, the precedence is a very important factor to keep in mind when it comes to deploying apps centrally, since $SPLUNK_HOME\etc\system\local cannot be touched by any deployment server.

Leave a deploymentclient.confin $SPLUNK_HOME\etc\system\local this way you will guarantee that this forwarder will always call home.

A best practice for deploying apps and configurations is that you create an application, which is simply a bunch of .conf files within a folder, in this case the basic structure for a Universal Forwarder application would be (default and local)

So if you want to control your inputs and outputs centrally for that Universal Forwarder you could go this way:


Deployment Server

$SPLUNK_HOME/etc/deployment-apps/CFG-universalforwarder_base/default

inputs.conf outputs.conf

If you want to target that Windows server for now, here's a way to do it:

$SPLUNK_HOME/etc/system/local/

serverclass.conf

[serverClass:windows]
filterType = whitelist
whitelist.0 = x.x.x.x (Windows server IP)
machineTypesFilter = windows-*
restartSplunkd = true
stateOnClient = enabled

[serverClass:windows:app:CFG-universalforwarder_base]

Let me know if you got stuck and need more help, I'd be happy to help!

/Santiago

View solution in original post

santiagoaloi
Path Finder

Hi!

mtranchita answer is correct, the precedence is a very important factor to keep in mind when it comes to deploying apps centrally, since $SPLUNK_HOME\etc\system\local cannot be touched by any deployment server.

Leave a deploymentclient.confin $SPLUNK_HOME\etc\system\local this way you will guarantee that this forwarder will always call home.

A best practice for deploying apps and configurations is that you create an application, which is simply a bunch of .conf files within a folder, in this case the basic structure for a Universal Forwarder application would be (default and local)

So if you want to control your inputs and outputs centrally for that Universal Forwarder you could go this way:


Deployment Server

$SPLUNK_HOME/etc/deployment-apps/CFG-universalforwarder_base/default

inputs.conf outputs.conf

If you want to target that Windows server for now, here's a way to do it:

$SPLUNK_HOME/etc/system/local/

serverclass.conf

[serverClass:windows]
filterType = whitelist
whitelist.0 = x.x.x.x (Windows server IP)
machineTypesFilter = windows-*
restartSplunkd = true
stateOnClient = enabled

[serverClass:windows:app:CFG-universalforwarder_base]

Let me know if you got stuck and need more help, I'd be happy to help!

/Santiago

OldManEd
Builder

Santiago,
Thanks for the direction but I'm having a little problem. I created a new directory on the Windows UF, "C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_UF_Config". I then moved the inputs.conf and outputs.conf files from the "C:\Program Files\SplunkUniversalForwarder\etc\system\local" directory to the new one. I then tried to start the forwarder and while monitoring the splunkd.log file, saw this ERROR;

10-19-2015 09:55:24.481 -0600 ERROR TcpOutputProc - LightWeightForwarder/UniversalForwarder not configured. Please configure outputs.conf.

I then moved everything back, and the service started with no errors.

Any ideas on what I'm doing wrong?

0 Karma

OldManEd
Builder

OK, I think I found my error. I simply created the

"C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_UF_Config"

directory, but did not create the "default" or "local" directories under that. I simply placed the "inputs.conf" and "outputs.conf" files under that main directory. But, after I created the "default" and "local" sub-directories, and put the "inputs.conf" and "output.conf" files in the

 "C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_UF_Config\local"

directory, no errors.

Thanks for everyone's responses on this issue.

0 Karma

mtranchita
Communicator

I believe your approach/understanding is largely correct however you are missing a couple of key concepts.
Over simplifying it, editing files in the default folders should only be done by the developer. Since you are pushing out the app to the UF you are the developer (yes, I'm using the term loosely). As such it is appropriate for you to put conf files in default folders.
You can push it out in local folders to if you want.
Which leads the the concept of precedence.
You will never be able to override configurations in system/local on a UF with a deployment server because it overrides everything else.

All of your managed configs should be pushed out in apps and never set in system/local.

Here is an excerpt from http://docs.splunk.com/Documentation/Splunk/latest/admin/Wheretofindtheconfigurationfiles
When the context is global (that is, where there's no app/user context), directory priority descends in this order:

  1. System local directory -- highest priority
  2. App local directories
  3. App default directories
  4. System default directory -- lowest priority
0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...