Splunk Enterprise

Deployment Server - Preventing use of Local Created Apps

shocko
Communicator

I'm using Splunk Enterprise 8.2.4 with deployment server. I wat to push out all config/apps to my forwarders to prevent server admins adding config/apps locally. To date system admins have been creating their own inputs and dumping data into main, flooding the license usages etc. and I need to stop this happening. I only want approved configs/inputs etc. to be pushed to the forwarders. As such, I have onboarded all my forwarders to deployment server. My first question is:

  • Q1: How to prevent a user at the system creating an input and pushing data to the indexers? Is their a config item to only accept deployment server deployed inputs?

On a test system I pushed an application I created that disabled the collection of the [WinEventLog://Security]. I found though that that system had received the app but was still pushing those events. Running btool at the forwarder shows:

C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf [WinEventLog://Security]
C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf disabled = 0

So this seems to be the config from when the forwarder was installed ad the windows inputs were selected in the forwarder MSI installation UI.

  • Q2: How to override this with deployment server i.e. a locally configured input not necessarily in the apps folder?

 

Tags (1)
0 Karma

shocko
Communicator

Thanks for the reply. The file C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf would have existed before the system was onboarded onto the deployment server but even after forwarder check-in it persists. So does this not indicate that only apps deployed by deployment server are enforced and locally created ones are not?

0 Karma

gcusello
Legend

Hi @shocko,

there are some internal apps that cannot be used and that aren't managed by the Deployment Server,  SplunkUniversalForwarder in one of them!

Ciao.

Giuseppe

shocko
Communicator

OK. That says to me that deployment server can only be used to deliver applications per ya and not to control an arbitrary one ? Or, do you mean that I should deploy this to the SplunkUniversalForwarder app ?

0 Karma

gcusello
Legend

Hi @shocko.

DS can be used to deploy and control every App to Clients.

There are some internal app, installed during installation and that cannot be modified, that aren't managed by DS.

Every other App is managed by DS.

Ciao.

Giuseppe

gcusello
Legend

Hi @shocko,

if you configured your target server as a Deployment Client, managed by the Deployment Server, each local update on the target server is deleted at the next DS check.

To avoid every change, it's a good practice to put also deployment_client.conf file in a TA to deploy using the DS.

Ciao.

Giuseppe

0 Karma

shocko
Communicator

Hi @gcusello , I don't understand what you man by

To avoid every change, it's a good practice to put also deployment_client.conf file in a TA to deploy using the DS.

Can you elaborate? 

0 Karma

gcusello
Legend

Hi @shocko,

the correct approach is to create an App (I usually call TA_Forwarders) containing only two files:

  • deploymentclient.conf (to address and manage the connection with the DS),
  • outputs.conf (to address and manage the connection with the Indexers).

In this way you have in only one point the configuratins to reach DS and Indexers, so you can easily make every change (e.g. changeing DS or adding an Indexers).

If your client is connected to the DS, every added App or every local change is deleted at the first check.

The only problem is that, when you install a new Forwarder, you have to manually copy this App on the Client and locally restart Splunk, then it's in the managing cycle.

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...