Splunk Enterprise

Configuring Forwarders with Deployment server

johnblakley
Explorer

All,

I have a successfully deployed app based on the Splunk documentation on how to create "send_to_indexer" app. The client is checking in, but I'm unable to figure out how I can modify the client.

What I'm looking for is this. I manually installed the UF on the server and selected the Security logs. I'm getting those with no issues. Now I want to select the System logs, and I was wanting to do this by modifying the app and configure the UF, but I'm unable to find any documentation on doing it this way - maybe the deployment server isn't used for this?

Is there a way to modify what logs you're collecting from the deployment server, and the index that the deployment servers send to without having to manually update all servers?

Tags (1)
0 Karma
1 Solution

s2_splunk
Splunk Employee
Splunk Employee

That's exactly what the deployment server is for.

  • You configure deploymentclient.conf on the UF to point to your DS
  • You manage your app on the deployment server in the documented directory (../etc/apps/deployment-apps)
  • You setup a serverclass.conf file that maps deployment apps to serverclasses (groups of forwarders, or individual ones)
  • You run splunk reload deploy-server whenever a deployment app change needs to be distributed
  • The deployment clients checkin and download what's relevant to them based on their serverclass membership

You say you have a send_to_indexer app. Do this:

  1. make a small change to a file in that app (add a comment or sumsuch) in the deployment-apps directory
  2. run ./splunk reload deploy-server
  3. Check your UF's ./etc/apps/send_to_indexer directory to validate that the updated file is there

Note that the client by default checks in every 60 seconds (phoneHomeInterval on client), so it may take up to a minute before you see the change.

View solution in original post

somesoni2
Revered Legend

Assuming you want to add more log monitoring on an existing client of your deployment server, so you need to do these:
1) (recommended) Create deployment app which will have event parsing configuration for your new data and will be deployed to Indexers. Say it's call someDescHere_indexer_parsing
https://docs.splunk.com/Documentation/Splunk/6.6.3/Updating/Createdeploymentapps
2) Create deployment app which will have monitoring configuration (inputs.conf) and will be deployed to deployment clients/forwarder. say it's called someDescHere_inputs.
3) (if following step1) Deploy *_indexer_parsing app to indexers and restart them
https://docs.splunk.com/Documentation/Splunk/6.6.3/Updating/Updateconfigurations
4) Deploy *_inptus app to deployment client/forwarder.
https://docs.splunk.com/Documentation/Splunk/6.6.3/Updating/Updateconfigurations

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

That's exactly what the deployment server is for.

  • You configure deploymentclient.conf on the UF to point to your DS
  • You manage your app on the deployment server in the documented directory (../etc/apps/deployment-apps)
  • You setup a serverclass.conf file that maps deployment apps to serverclasses (groups of forwarders, or individual ones)
  • You run splunk reload deploy-server whenever a deployment app change needs to be distributed
  • The deployment clients checkin and download what's relevant to them based on their serverclass membership

You say you have a send_to_indexer app. Do this:

  1. make a small change to a file in that app (add a comment or sumsuch) in the deployment-apps directory
  2. run ./splunk reload deploy-server
  3. Check your UF's ./etc/apps/send_to_indexer directory to validate that the updated file is there

Note that the client by default checks in every 60 seconds (phoneHomeInterval on client), so it may take up to a minute before you see the change.

johnblakley
Explorer

I created an inputs.conf file under the send_to_indexer app, and restarted the deployment server this morning. I was expecting it to overwrite the /etc/system/local/inputs.conf, but it put it in /etc/apps/Send_To_indexer/local instead. How can I have the forwarder use this inputs file instead of the local /etc/system/local one?

I just changed the inputs.conf file again, and the changes are definitely being made...

0 Karma

ddrillic
Ultra Champion

@johnblakley, the $SPLUNK_HOME/etc/system/local/inputs.conf file should only have the host name, something like -

[default]
host = <hostname>

All the rest should come from $SPLUNK_HOME/etc/apps/Send_To_indexer/local/inputs.conf.

0 Karma

johnblakley
Explorer

I came in this morning, and it was sending the correct logs. Thanks!

0 Karma
Get Updates on the Splunk Community!

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Avoid Certificate Expiry Issues in Splunk Enterprise with Certificate Assist

This blog post is part 2 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Using Machine Learning for Hunting Security Threats

REGISTER NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more ...