I'm using Splunk Enterprise 8.2.4 with deployment server. I wat to push out all config/apps to my forwarders to prevent server admins adding config/apps locally. To date system admins have been creating their own inputs and dumping data into main, flooding the license usages etc. and I need to stop this happening. I only want approved configs/inputs etc. to be pushed to the forwarders. As such, I have onboarded all my forwarders to deployment server. My first question is:
On a test system I pushed an application I created that disabled the collection of the [WinEventLog://Security]. I found though that that system had received the app but was still pushing those events. Running btool at the forwarder shows:
C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf [WinEventLog://Security]
C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf disabled = 0
So this seems to be the config from when the forwarder was installed ad the windows inputs were selected in the forwarder MSI installation UI.
Thanks for the reply. The file C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf would have existed before the system was onboarded onto the deployment server but even after forwarder check-in it persists. So does this not indicate that only apps deployed by deployment server are enforced and locally created ones are not?
Hi @shocko,
there are some internal apps that cannot be used and that aren't managed by the Deployment Server, SplunkUniversalForwarder in one of them!
Ciao.
Giuseppe
OK. That says to me that deployment server can only be used to deliver applications per ya and not to control an arbitrary one ? Or, do you mean that I should deploy this to the SplunkUniversalForwarder app ?
Hi @shocko.
DS can be used to deploy and control every App to Clients.
There are some internal app, installed during installation and that cannot be modified, that aren't managed by DS.
Every other App is managed by DS.
Ciao.
Giuseppe
Hi @shocko,
if you configured your target server as a Deployment Client, managed by the Deployment Server, each local update on the target server is deleted at the next DS check.
To avoid every change, it's a good practice to put also deployment_client.conf file in a TA to deploy using the DS.
Ciao.
Giuseppe
Hi @gcusello , I don't understand what you man by
To avoid every change, it's a good practice to put also deployment_client.conf file in a TA to deploy using the DS.
Can you elaborate?
Hi @shocko,
the correct approach is to create an App (I usually call TA_Forwarders) containing only two files:
In this way you have in only one point the configuratins to reach DS and Indexers, so you can easily make every change (e.g. changeing DS or adding an Indexers).
If your client is connected to the DS, every added App or every local change is deleted at the first check.
The only problem is that, when you install a new Forwarder, you have to manually copy this App on the Client and locally restart Splunk, then it's in the managing cycle.
Ciao.
Giuseppe