My universal forwarder certificate package, will be expiring soon in my splunk cloud environment. As a result, splunk vendor updated forwarder package on stack with updated certificates to be deployed across any forwarders that connect directly to my Splunk instance.
My Action: I should download and install the updated Universal Forwarder certificate package on all forwarders prior to the upcoming maintenance window.
Can someone elaborate the pre-conditions and further steps to be taken care before my maintenance window.
FYI - I have the splunkclouduf.spl package
I am on Splunk cloud and we receive this notification quarterly.Below are the steps which we followed.
1. Download the Splunk UF credential package and untar it and deploy it to /opt/splunkforwarder/etc/apps folder on all the Splunk agents via Deployment Server (or)
2. You can manually place the file under the /opt/splunkforwarder/etc/apps folder and do a Splunk restart that would suffice.
After performing this, if you want to check whether the UF's are reporting the legacy or new certificate package, run the below search on your search head.
index=_internal source=metrics.log group=tcpout_connections name=splunkcloud
| stats latest(_time) AS _time latest(name) AS name by host
| rex field=name "(?<output_group>.+?):"
| eval fwd_config=if(output_group="splunkcloud","legacy","new")
| stats count by _time host output_group fwd_config
| fields _time reltime host output_group fwd_config
| sort 0 fwd_config
at least you should check what is the earliest time when the new certificate is valid and you can start to use it. Here is one way to check it.
Disclaimer: I haven't yet need to update current splunk cloud certificates, so I'm not sure it this is need or not. Maybe they inform you just after this is already valid?
Thanks for your response,
I have the updated certificates in handy, Im planning to proceed below way, Kindly assist
1)Installing the forwarder credentials on many forwarders using a deployment server
tar xvf splunkclouduf.spl
splunk install app <full path to splunkclouduf.spl> -auth <username>:<password>
where <full path to splunkclouduf.spl> is the path to the directory where the splunkclouduf.spl file is located and <username>:<password> are the username and password of an existing admin account on the universal forwarder.