First, if this is a repeat question, I apologize. I tried to ask this question a short time ago, but cannot find it anywhere.
The situation is this. I loaded the Splunk Windows Universal Forwarder, (6.3), on a Windows server and would like to update the conf files when needed using a Linux Deployment server also running 6.3. According to the documentation, if I would like to update the inputs.conf or outputs.conf files on the Forwarder, I need to create a directory on the deployment server called
$SPLUNK_HOME/etc/deployment-apps/<some app name>/default/outputs.conf and inputs.conf first. Then create server classes and add Forwarders.
My question is, is this correct? I was under the impression that changing any file in a "default" directory was frowned upon. Also, when I looked at the
C:\Program Files\SplunkUniversalForwarder\etc\apps directory on the Forwarder, looking for a mapping application, all I saw was the following;
The files I need to update are in the
C:\Program Files\SplunkUniversalForwarder\etc\system\local directory on the forwarder. I don't understand how that all maps.
What directory do I need to create in the "deployment-apps" directory on the Deployment server to map to the correct conf files I would like to update?
Thanks in advance.
I believe your approach/understanding is largely correct however you are missing a couple of key concepts.
Over simplifying it, editing files in the default folders should only be done by the developer. Since you are pushing out the app to the UF you are the developer (yes, I'm using the term loosely). As such it is appropriate for you to put conf files in default folders.
You can push it out in local folders to if you want.
Which leads the the concept of precedence.
You will never be able to override configurations in system/local on a UF with a deployment server because it overrides everything else.
All of your managed configs should be pushed out in apps and never set in system/local.
Here is an excerpt from http://docs.splunk.com/Documentation/Splunk/latest/admin/Wheretofindtheconfigurationfiles
When the context is global (that is, where there's no app/user context), directory priority descends in this order:
mtranchita answer is correct, the precedence is a very important factor to keep in mind when it comes to deploying apps centrally, since
$SPLUNK_HOME\etc\system\local cannot be touched by any deployment server.
$SPLUNK_HOME\etc\system\local this way you will guarantee that this forwarder will always call home.
A best practice for deploying apps and configurations is that you create an application, which is simply a bunch of .conf files within a folder, in this case the basic structure for a Universal Forwarder application would be (default and local)
So if you want to control your inputs and outputs centrally for that Universal Forwarder you could go this way:
If you want to target that Windows server for now, here's a way to do it:
[serverClass:windows] filterType = whitelist whitelist.0 = x.x.x.x (Windows server IP) machineTypesFilter = windows-* restartSplunkd = true stateOnClient = enabled [serverClass:windows:app:CFG-universalforwarder_base]
Let me know if you got stuck and need more help, I'd be happy to help!
Thanks for the direction but I'm having a little problem. I created a new directory on the Windows UF, "C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUFConfig". I then moved the inputs.conf and outputs.conf files from the "C:\Program Files\SplunkUniversalForwarder\etc\system\local" directory to the new one. I then tried to start the forwarder and while monitoring the splunkd.log file, saw this ERROR;
10-19-2015 09:55:24.481 -0600 ERROR TcpOutputProc - LightWeightForwarder/UniversalForwarder not configured. Please configure outputs.conf.
I then moved everything back, and the service started with no errors.
Any ideas on what I'm doing wrong?
OK, I think I found my error. I simply created the
directory, but did not create the "default" or "local" directories under that. I simply placed the "inputs.conf" and "outputs.conf" files under that main directory. But, after I created the "default" and "local" sub-directories, and put the "inputs.conf" and "output.conf" files in the
directory, no errors.
Thanks for everyone's responses on this issue.