Splunk deployment server configuration

Deployment Server is for distributing configuration, and apps to Splunk Universal Forwarder, and allows you to manage remote Splunk forwarder centrally.

Sending configuration file like (inputs.conf, outputs.conf, props.conf, app.conf etc).

Server class.conf file defines which clients get what apps and deployment-apps are apps for distribution.

A server class maps deployment apps to client group.

https://docs.splunk.com/Documentation/MSApp/1.4.3/MSInfra/Setupadeploymentserver

 

An app can have configuration files that might be needed by the deployment client

  • metadata/local.meta
  • local/app.conf
  • local/inputs.conf
  • local/outputs.conf
  • local/props.conf

 

# Deployment Server /opt/splunk/etc/deployment-apps

Download this app

https://splunkbase.splunk.com/app/833/    splunk-add-on-for-unix-and-linux_524.tgz

https://splunkbase.splunk.com/app/742/    splunk-add-on-for-microsoft-windows_484.tgz

 

Installed this under /opt/splunk/etc/deployment-apps dir on your deployment server  (172.13.1.2 )

#  tar –xzf  splunk-add-on-for-unix-and-linux_524.tgz  -C /opt/splunk/etc/deployment-apps

# tar –xzf splunk-add-on-for-microsoft-windows_484.tgz  -C /opt/splunk/etc/deployment-apps

Wait at least 10 min

 

On your forwarder set up as the deployment client

 

/opt/splunkforwarder/bin/splunk set deploy-poll 172.13.1.2:8089   -auth admin:changeme

/opt/splunkforwarder/bin/splunk restart

/opt/splunk/show deploy-poll –auth admin:changeme

 

On the deployment server select Setting> Forwarder Management

[ configuration saved in /opt/splunk/etc/system/local/serverclass.conf ]

 

ON the deployment server put or create the apps under /opt/splunk/etc/deployment-apps

 

An app can have configuration files that might be needed by the deployment client (Universal Forwarder).

  • metadata/local.meta
  • local/app.conf
  • local/inputs.conf
  • local/outputs.conf
  • local/props.conf

 

On your forwarder (IP 10.16.9.25)  set up as the deployment client

/opt/splunkforwarder/bin/splunk set deploy-poll 172.13.1.2:8089   -auth admin:changeme

/opt/splunkforwarder/bin/splunk restart

/opt/splunk/show deploy-poll –auth admin:changeme

 

On the deployment server select Setting> Forwarder Management

On the deployment server select Setting> Forwarder Management   Confirm that you see apps.

Server Classes tab Click Create one click the links      Name [ Linux ]

Add the  Apps  [ Splunk Unix App ]  save

Select  the restart Splunkd box and save

Edie > Edit Clients  with  the [Linux]   in the Server Classes tab

 

A server class maps a client group to one or more deployment apps and clients can be grouped based on:

  • hostname or IP address
  • Machine Type

On the deployment server select Setting> Forwarder Management  Click on Server Classes tab  > create one

Name [Unix_and_Linux]

Add apps [Select the Unix Apps ]

SAVE

Edit Clients

 

Enter the client IP address to the Include (whitelist)    Click Preview  >

Include (Whitelist)

 

Exclude (blacklist
10.16.9.25

Linux-x86_64

Click Preview > SAVE

 

Deployment server:            /opt/splunk/bin/splunk list deploy-clients

Deployment server:            /opt/splunk/bin/splunk reload deploy-server

Deployment server:           /opt/splunk/bin/splunk list deploy-clients

 

On the Universal Forwarder:        ls –l /opt/splunkforwarder/etc/apps   (Under you should see the apps)

On the Universal Forwarder:        /opt/splunkforwarder/splunk show deploy-poll -auth admin:changeme

On the Universal Forwarder;        /opt/splunkforwarder/splunk list forwarder-server –auth admin:changeme

 

Splunk server has indexed events to verify

Search          index=_internal host=”Your_host”  component=”TcpOutputProc

An app can have configuration files that might be needed by the deployment client

  • metadata/local.meta
  • local/app.conf
  • local/inputs.conf
  • local/outputs.conf
  • local/props.conf

 

Example of the Config file below

 

$ cat /opt/splunk/etc/deployment-apps/send_to_fw1/metatdata/local.meta

access = read : [ * ], write : [ admin ]

export = system

———————————————————————————————————-

$ more /opt/splunk/etc/deployment-apps/send_to_fw1/local/apps.conf

[package]

check_for_updates = false

 

[install]

state = enabled

 

[ui]

is_visible = false

is_manageable = false

 

[launcher]

author= Patel Lab

description= sending files to forwarder

version=1.0

———————————————————————————————————–

$ more /opt/splunk/etc/deployment-apps/send_to_fw1/local/inputs.conf

[monitor:///var/log/access.log]

disabled=false

index=web

blacklist=secure.log

whitelist=access.log

 

[monitor:///var/log/secure.log]

disabled=false

index=secure

blacklist=access.log

whitelist=secure.log

———————————————————————————————-

$ more /opt/splunk/etc/deployment-apps/send_to_fw1/local/outputs.conf

[tcpout]

defaultGroup = default-autolb-group

[tcpout-server://172.31.10.172:9997]

[tcpout:default-autolb-group]

disabled = false

server = 172.31.10.172:9997,172.31.0.168:9997

[tcpout-server://172.31.0.168:9997]

————————————————————————————————-

 

[splunker@ip-172-31-1-1 local]$ /opt/splunk/bin/splunk list deploy-clients -auth admin:splunk

An authentication error occurred: Client is not authenticated

 

[splunker@ip-172-31-1-1 local]$

On the Forwarder    /opt/splunkforwarder/bin/splunk set deploy-poll 172.31.1.1:8089 -auth admin:changeme

On the Forwarder    /opt/splunkforwarder/bin/splunk restart

On the Forwarder    /opt/splunkforwarder/bin/splunk show deploy-poll -auth admin:changeme

 

ON THE DEPLOYMENT SERVER          $/opt/splunk/bin/splunk list deploy-clients -auth admin:splunk

 

Please follow and like us: