- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How to edit local a universal forwarder config...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to edit local a universal forwarder configuration that was pushed via deployment server?
I use my deployment server to deploy the Splunk Add-on for Microsoft Windows to Universal Forwarders.
Splunk_TA_windows/
├── default
│ └── inputs.conf #unchanged defaults
├── local
│ └── inputs.conf #edited
I enabled the Security log in local/inputs.conf, like:
[WinEventLog://Security]
disabled = 0
Everything works great. However, I have one user that wants to enable a few things. Let's say that he wants to:
[WinEventLog://Application]
disabled = 0
Where would he make that change? Wouldn't the deployment server overwrite Splunk_TA_windows/local/inputs.conf if he made the change there?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure I'm following all of your app/local/ stuff. The reason I say that is you will need to become familiar with is the order of precedence for Splunk components. When the agent first starts up it will read through the $SPLUNK_HOME/etc/system/default directory, move up to $SPLUNK_HOME/etc/apps/default, move to $SPLUNK_HOME/etc/apps/local, then back to $SPLUNK_HOME/etc/system/local. In the case of competing configs the last one read in wins. If a user makes a change in /etc/system/local there is nothing you can push from your deployment server that will override the setting - short of a script that makes a change to /etc/system/local.
The local Windows TA installed on the UFs should be in the /etc/apps folder so I'd push a package starting with 00 to make it 'win' over what is there now if you want to control changes the user makes. The app name doesn't have to match you just need a matching monitor statement name. Hope that helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can do it locally under /etc/system/local/inputs.conf. This won't be overridden. This is assuming you haven't defined it in the TA's inputs.conf (the one you're pushing out) as disabled.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I enabled in system/local with:
[WinEventLog://Security]
disabled = 0
Would the configs in Splunk_TA_windows/default/inputs.conf be applied?
[WinEventLog://Application]
disabled = 1-> 0
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=false
Or will he have to copy/paste all that into system/local?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Those are two entirely different stanzas so they do not impact each other. Adding a new stanza to etc/system/local will only modify pre-existing stanzas if the stanzas are the same.
For example if you added a stanza like
[WinEventLog://Security]
disabled = 1
to etc/system/local this would override your deployment client's inputs.conf and effectively disable the collection on that box.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
