Installation

Universal Forwarder & Associated Certificate Package Upgrade

anandhalagaras1
Contributor

Hi Team,

Our Splunk instance is hosted in Cloud and maintained by Splunk Support. So recently we got an email from Splunk Support stating that our Universal Forwarder & Associated Certificate Package has been upgraded to latest version since it is going to expire in couple of days and they have requested us to download and install the UF package from Search Head and rollout to all our Client machines since they are planning to upgrade the package in the indexer level in a couple of days.

So our architecture is that we have 1 Deployment master server and 4 HF servers. Search heads , Cluster master , Indexers etc. are managed by Splunk Support.

So usually we used to push the customized apps and as well as forwarder apps from our Deployment master server to all our client machines. and moreover all our Splunk servers DM & HF are running with Linux OS.

 

https://docs.splunk.com/Documentation/Forwarder/8.2.4/Forwarder/ConfigSCUFCredentials#Install_the_fo...

So as per the documentation I have downloaded the "splunkclouduf.spl" credentials package from our Search head and placed it in /opt/splunk/etc/deployment-apps folder in our DM server then as mentioned I have untar the file so after untar the file I can see a new folder as "100_xxxx_splunkcloud"

Later it is mentioned to install the credentials package so in here in this case it is mentioned to choose the path of splunkclouduf.spl so should i need to choose which path and install it?

/opt/splunk/etc/deployment-apps/splunkclouduf.spl (OR) /opt/splunk/etc/deployment-apps/100_xxxx_splunkcloud 

I am quite not sure hence I am struck over here and didn't installed the credentials yet so kindly help to check and update please.

And post installation of credentials package it is mentioned to restart the Splunk instance in the DM server. 

So post installation in my DM server how do I push them to all client machines? Do i need to edit the existing forwarder outputs app (which is pushed to all client machines and HF)

Since we already have an app "forwarder_outputs" which we have pushed to all client machines. So in this app we have local and metadata folder in it. And in local folder we have limits.conf, outputs.conf, xxx_cacert.pem & xxx_server.pem file and in metadata folder we have local.meta so now what are the files do i need to modify post installing the credential package in DM server and push them to all client machines so that the UF package would be running with latest version.

So kindly help on my request .

 

 

Labels (2)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

There is no method to "push" an app from the Deployment Server (DS) to clients.  What happens is the client contacts the DS, gets a list of apps, then downloads those apps that have changed recently.

Once you download and unpack the splunkclouduf.spl file into the deployment-apps directory, all should be good.  The DS will take care of everything.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...