Deployment Architecture

Proxy deployment polls through single forwarder

gradycraig
Explorer

Here's the situation; we have two virtual private cloud subnets, the internal servers do not have internet access for security reasons. I have setup universal forwarders(UF) on all servers in each site. We also have a light forwarder(LF) in each subnet on the single server that has internet. All UFs will forward to the LFs; LFs will forward all events to the index server in our datacentre. Is there anyway for the LFs to proxy the deployment callhome requests through that one server as well, without using a network level proxy? Or failing that, can I deploy a deployment server config (including serverclass etc) to each LF from my main index/deployment server? This way all UFs will poll the LF at their respective site for deployment config.

I'm trying to reduce the deployment server count down, as well our cloud servers are non-persistent. I don't want to have to script an entire rebuild of the deployment servers with custom configs and keep them up to date etc.

Any help would be appreciated!

If I haven't explained anything in enough detail please let me know..

dwaddle
SplunkTrust
SplunkTrust

Sometimes an easier approach than a tiered deployment server is building "peer" deployment servers at each site and having them all pull configs from a central place like a git repo or an rsync server.

And unrelated, but in your position, I would probably make my "border" forwarder a heavy forwarder instead of a light. It will work better when you scale up to multiple indexers and are shooting data to them in parallel.

bmacias84
Champion

That all depends how your white and black listing works in your serverclass.conf stanzas. On your Parent Deployment server create a deployment server app then create a secondary deplomment server stanza in the main serverclas.conf with the LF in your white list with default repository. Then your LF deployment servers will have their own serverclass.conf. Hope this makes sense (on my fourth cup of coffee).

0 Karma

gradycraig
Explorer

Yes you understood it perfectly, this was something I had considered, but I didn't know if it would work. Do you know, would I have to manually define the serverclass.conf on each LF? I'm not sure that file is deployable, the docs say it needs to be in system/local..

0 Karma

bmacias84
Champion

You can have a tiered Deployment Server topology. Configure you LF as a Deployment Server and set deploy-client poll to your DC Deployment Server. On your DC Deployment Server create a Deployment Server stanza modify the targetRepositoryLocation to the ‘/etc/deployment-apps’ on your LF. Configure your UFs to Deployment Servers the LF.

Hope I understood your question and that this helps. If that is what you want too do I could help with the settings and stanzas.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...