Re: Deployment Server - Preventing use of Local Cr...

shocko · ‎02-07-2022

I'm using Splunk Enterprise 8.2.4 with deployment server. I wat to push out all config/apps to my forwarders to prevent server admins adding config/apps locally. To date system admins have been creating their own inputs and dumping data into main, flooding the license usages etc. and I need to stop this happening. I only want approved configs/inputs etc. to be pushed to the forwarders. As such, I have onboarded all my forwarders to deployment server. My first question is:

Q1: How to prevent a user at the system creating an input and pushing data to the indexers? Is their a config item to only accept deployment server deployed inputs?

On a test system I pushed an application I created that disabled the collection of the [WinEventLog://Security]. I found though that that system had received the app but was still pushing those events. Running btool at the forwarder shows:

C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf [WinEventLog://Security]
C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf disabled = 0

So this seems to be the config from when the forwarder was installed ad the windows inputs were selected in the forwarder MSI installation UI.

Q2: How to override this with deployment server i.e. a locally configured input not necessarily in the apps folder?

shocko · ‎02-07-2022

Thanks for the reply. The file C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf would have existed before the system was onboarded onto the deployment server but even after forwarder check-in it persists. So does this not indicate that only apps deployed by deployment server are enforced and locally created ones are not?

gcusello · ‎02-07-2022

Hi @shocko,

there are some internal apps that cannot be used and that aren't managed by the Deployment Server, SplunkUniversalForwarder in one of them!

Ciao.

Giuseppe

shocko · ‎02-07-2022

OK. That says to me that deployment server can only be used to deliver applications per ya and not to control an arbitrary one ? Or, do you mean that I should deploy this to the SplunkUniversalForwarder app ?

gcusello · ‎02-07-2022

Hi @shocko.

DS can be used to deploy and control every App to Clients.

There are some internal app, installed during installation and that cannot be modified, that aren't managed by DS.

Every other App is managed by DS.

Ciao.

Giuseppe

gcusello · ‎02-07-2022

Hi @shocko,

if you configured your target server as a Deployment Client, managed by the Deployment Server, each local update on the target server is deleted at the next DS check.

To avoid every change, it's a good practice to put also deployment_client.conf file in a TA to deploy using the DS.

Ciao.

Giuseppe

shocko · ‎02-15-2022

Hi @gcusello , I don't understand what you man by

To avoid every change, it's a good practice to put also deployment_client.conf file in a TA to deploy using the DS.

Can you elaborate?

gcusello · ‎02-15-2022

Hi @shocko,

the correct approach is to create an App (I usually call TA_Forwarders) containing only two files:

deploymentclient.conf (to address and manage the connection with the DS),
outputs.conf (to address and manage the connection with the Indexers).

In this way you have in only one point the configuratins to reach DS and Indexers, so you can easily make every change (e.g. changeing DS or adding an Indexers).

If your client is connected to the DS, every added App or every local change is deleted at the first check.

The only problem is that, when you install a new Forwarder, you have to manually copy this App on the Client and locally restart Splunk, then it's in the managing cycle.

Ciao.

Giuseppe

Deployment Server - Preventing use of Local Created Apps

administration

configuration

using Splunk Enterprise

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!