Splunk deployment server configuration
Deployment Server is for distributing configuration, and apps to Splunk Universal Forwarder, and allows you to manage remote Splunk forwarder centrally.
Sending configuration file like (inputs.conf, outputs.conf, props.conf, app.conf etc).
Server class.conf file defines which clients get what apps and deployment-apps are apps for distribution.
A server class maps deployment apps to client group.
https://docs.splunk.com/Documentation/MSApp/1.4.3/MSInfra/Setupadeploymentserver
An app can have configuration files that might be needed by the deployment client
- metadata/local.meta
- local/app.conf
- local/inputs.conf
- local/outputs.conf
- local/props.conf
# Deployment Server /opt/splunk/etc/deployment-apps
Download this app
https://splunkbase.splunk.com/app/833/ splunk-add-on-for-unix-and-linux_524.tgz
https://splunkbase.splunk.com/app/742/ splunk-add-on-for-microsoft-windows_484.tgz
Installed this under /opt/splunk/etc/deployment-apps dir on your deployment server (172.13.1.2 )
# tar –xzf splunk-add-on-for-unix-and-linux_524.tgz -C /opt/splunk/etc/deployment-apps
# tar –xzf splunk-add-on-for-microsoft-windows_484.tgz -C /opt/splunk/etc/deployment-apps
Wait at least 10 min
On your forwarder set up as the deployment client
/opt/splunkforwarder/bin/splunk set deploy-poll 172.13.1.2:8089 -auth admin:changeme
/opt/splunkforwarder/bin/splunk restart
/opt/splunk/show deploy-poll –auth admin:changeme
On the deployment server select Setting> Forwarder Management
[ configuration saved in /opt/splunk/etc/system/local/serverclass.conf ]
ON the deployment server put or create the apps under /opt/splunk/etc/deployment-apps
An app can have configuration files that might be needed by the deployment client (Universal Forwarder).
- metadata/local.meta
- local/app.conf
- local/inputs.conf
- local/outputs.conf
- local/props.conf
On your forwarder (IP 10.16.9.25) set up as the deployment client
/opt/splunkforwarder/bin/splunk set deploy-poll 172.13.1.2:8089 -auth admin:changeme
/opt/splunkforwarder/bin/splunk restart
/opt/splunk/show deploy-poll –auth admin:changeme
On the deployment server select Setting> Forwarder Management
On the deployment server select Setting> Forwarder Management Confirm that you see apps.
Server Classes tab Click Create one click the links Name [ Linux ]
Add the Apps [ Splunk Unix App ] save
Select the restart Splunkd box and save
Edie > Edit Clients with the [Linux] in the Server Classes tab
A server class maps a client group to one or more deployment apps and clients can be grouped based on:
- hostname or IP address
- Machine Type
On the deployment server select Setting> Forwarder Management Click on Server Classes tab > create one
Name [Unix_and_Linux]
Add apps [Select the Unix Apps ]
SAVE
Edit Clients
Enter the client IP address to the Include (whitelist) Click Preview >
Include (Whitelist)
|
Exclude (blacklist | |
10.16.9.25
Linux-x86_64 |
Click Preview > SAVE
Deployment server: /opt/splunk/bin/splunk list deploy-clients
Deployment server: /opt/splunk/bin/splunk reload deploy-server
Deployment server: /opt/splunk/bin/splunk list deploy-clients
On the Universal Forwarder: ls –l /opt/splunkforwarder/etc/apps (Under you should see the apps)
On the Universal Forwarder: /opt/splunkforwarder/splunk show deploy-poll -auth admin:changeme
On the Universal Forwarder; /opt/splunkforwarder/splunk list forwarder-server –auth admin:changeme
Splunk server has indexed events to verify
Search index=_internal host=”Your_host” component=”TcpOutputProc”
An app can have configuration files that might be needed by the deployment client
- metadata/local.meta
- local/app.conf
- local/inputs.conf
- local/outputs.conf
- local/props.conf
Example of the Config file below
$ cat /opt/splunk/etc/deployment-apps/send_to_fw1/metatdata/local.meta
access = read : [ * ], write : [ admin ]
export = system
———————————————————————————————————-
$ more /opt/splunk/etc/deployment-apps/send_to_fw1/local/apps.conf
[package]
check_for_updates = false
[install]
state = enabled
[ui]
is_visible = false
is_manageable = false
[launcher]
author= Patel Lab
description= sending files to forwarder
version=1.0
———————————————————————————————————–
$ more /opt/splunk/etc/deployment-apps/send_to_fw1/local/inputs.conf
[monitor:///var/log/access.log]
disabled=false
index=web
blacklist=secure.log
whitelist=access.log
[monitor:///var/log/secure.log]
disabled=false
index=secure
blacklist=access.log
whitelist=secure.log
———————————————————————————————-
$ more /opt/splunk/etc/deployment-apps/send_to_fw1/local/outputs.conf
[tcpout]
defaultGroup = default-autolb-group
[tcpout-server://172.31.10.172:9997]
[tcpout:default-autolb-group]
disabled = false
server = 172.31.10.172:9997,172.31.0.168:9997
[tcpout-server://172.31.0.168:9997]
————————————————————————————————-
[splunker@ip-172-31-1-1 local]$ /opt/splunk/bin/splunk list deploy-clients -auth admin:splunk
An authentication error occurred: Client is not authenticated
[splunker@ip-172-31-1-1 local]$
On the Forwarder /opt/splunkforwarder/bin/splunk set deploy-poll 172.31.1.1:8089 -auth admin:changeme
On the Forwarder /opt/splunkforwarder/bin/splunk restart
On the Forwarder /opt/splunkforwarder/bin/splunk show deploy-poll -auth admin:changeme
ON THE DEPLOYMENT SERVER $/opt/splunk/bin/splunk list deploy-clients -auth admin:splunk