Installation

Disabling Splunk Secure Gateway in a Cluster Deployment

sherwin_r
Explorer

I am trying to disable the Splunk Secure Gateway app in a clustered environment. However I dont see an option to disable the app in Apps -> Manage Apps. It only displays the current status of the app, which is "Active".

I also tried the same in a single node installation, where there is an option to disable the app just next to its current status in the same menu, i.e. Apps -> Manage Apps.

 

So, how can I disable the Splunk Secure Gateway in the clustered environment ?

Labels (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @sherwin_r ,

if you cannot follow the solution from @isoutamo ,  the only way is my first solution, modify apps.conf on the Deployer and push the app to the Search Head Cluster.

Ciao.

Giuseppe

View solution in original post

0 Karma

sherwin_r
Explorer

Thanks @gcusello @gjanders @isoutamo for your inputs. I will have to decide which solution I am going for. I will update if either worked as expected (however I expect it to take a couple of  days).

Regards,

Sherwin

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sherwin_r ,

good for you, see next time!

let us know if we can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

isoutamo
SplunkTrust
SplunkTrust

Hi

this is known issue. You cannot disable some apps via GUI. Fortunately you could try this app to disable SSG and some other https://splunkbase.splunk.com/app/7319

r. Ismo

sherwin_r
Explorer

Hi Ismo,

This solution seems to be amazing. However, I will have to try to solve this as far as possible without installing an extra app.

Best regards,

Sherwin

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Unfortunately I don't think that you have any other option. That was the reason why @gjanders did this app...

gjanders
SplunkTrust
SplunkTrust

Exactly. Disabling default apps is a bit tricky.

Combine this with the 9.1.x version running a search on every instance and then an automated method like this helps on large indexer clusters, cluster managers et cetera.

The application works on most apps, I did find the splunk assist app cannot be disabled using the REST API.

Thanks @isoutamo

sherwin_r
Explorer

Hi @gcusello ,

Thanks for the quick response.

 

I want to do this because my Splunk installation does not have access to the internet and Secure Gateway therefore logs a lot of errors.

Regards,

Sherwin

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sherwin_r ,

this should occur if you try to enable some input in Secure Gateway not by itself, did you do it?

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sherwin_r ,

if you cannot follow the solution from @isoutamo ,  the only way is my first solution, modify apps.conf on the Deployer and push the app to the Search Head Cluster.

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sherwin_r ,

the only way to disable an app in a clustered environament is to modify the app.conf file in the app's local folder (if not present, copying it from default) of the deployer (app located in shcluster folder) and pushing the modified app to the cluster.

But why do you want to do this?

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...