Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Platform
- :
- Splunk Enterprise
- :
- Custom app not overriding UF inputs.conf (WinEvent...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi everyone,
I’m trying to disable Windows Security Event logs on a Universal Forwarder using Deployment Server apps, but it’s not working.
What I did:
First I created an app called disable-security-event with local/inputs.conf:
[WinEventLog://Security] disabled = 1Deployed it via Deployment Server → shows as successfully deployed on UF.
Still Security logs keep coming.
Then I read about alphabetical precedence, so I created another app ZZZ_disable_security with the same config.
That also deployed fine, but btool still shows the disabled = 0 from:
C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.confIn Splunk Search I can still see Security logs arriving.
So in short:
Both apps were deployed successfully (I see them in console UI).
But they don’t override the settings from SplunkUniversalForwarder\local\inputs.conf.
Question:
How can I properly override or disable Security Event logs defined in SplunkUniversalForwarder\local\inputs.conf using Deployment Server?
Is there a way to make my custom app take precedence, or do I need to remove/modify that file manually?
(I am doing it for education to learn Deployment Server, to understand how it works? I will attach a file of screenshots.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As already said, You cannot change that via DS when your UF's configuration is in etc/system/local.
How to fix it?
You must create own app for this kind of settings for UF. Probably you need more than one? Then put those configurations and needed serverclass.conf into DS and deploys as usually. After that you must remove those settings manually from UF's conf files at etc/system/local. Restart UF's SplunkForwarder service and now you have those configuration managed by DS.
IMHO: you should put also serverclass.conf into own app or even better to put in individual apps for each integration. Don't use GUI as it put those all under etc/system/local and then you have the same issue with DS than you have now in UF.
I use this kind of structure:
- xxxx-app1-uf
- xxxx-app1-ds-sc
- xxxx-app1-ihf (if I need to use intermediate hf to manipulate and forward those events)
Then I have separate xxxx-ds-base-app where is DS's base configurtions.
With this concept I can manage sever integrations at same time independently each other. No need to do manual editing for one serverclass.conf file on DS. Also this can easily automated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As already said, You cannot change that via DS when your UF's configuration is in etc/system/local.
How to fix it?
You must create own app for this kind of settings for UF. Probably you need more than one? Then put those configurations and needed serverclass.conf into DS and deploys as usually. After that you must remove those settings manually from UF's conf files at etc/system/local. Restart UF's SplunkForwarder service and now you have those configuration managed by DS.
IMHO: you should put also serverclass.conf into own app or even better to put in individual apps for each integration. Don't use GUI as it put those all under etc/system/local and then you have the same issue with DS than you have now in UF.
I use this kind of structure:
- xxxx-app1-uf
- xxxx-app1-ds-sc
- xxxx-app1-ihf (if I need to use intermediate hf to manipulate and forward those events)
Then I have separate xxxx-ds-base-app where is DS's base configurtions.
With this concept I can manage sever integrations at same time independently each other. No need to do manual editing for one serverclass.conf file on DS. Also this can easily automated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ahhh. Right. I read it backwards. Yes, if it's set in system/local, there's no way of overriding it via an app. That's the main reason why you should avoid putting any settings in system/local.
Oh, and GUI - depending on which part of it it is will happily either write to system/local or some app of its own choice.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
system/local takes precedence over everything else (except for peer-apps on indexer cluster). So your UF instance might have problems reading the file from disk (wrong permissions?)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@salohiddin - You need higher precedence starting with Alphabetical order for Global Precendece of Splunk.
* Doc Reference - https://docs.splunk.com/Documentation/Splunk/9.4.2/Admin/Wheretofindtheconfigurationfiles
So,
- create the App named AAA_disable_windows_security_input App
- and put the inputs.conf in the local folder
- and deploy.
I hope this helps!!!
What Is Splunk? Here’s What You Can Do with Splunk
Level Up Your .conf25: Splunk Arcade Comes to Boston
Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...
