Solved: How to modify some configurations in the input.con...

hswoo2000 · ‎10-15-2013

Hi all
I need to make all universal forwarders to send with its own IP address to the server.

I have a deployment server in place.

Is there any way we can configure the file in each client centrally?

The one I know that in each client, I can add the below line in the input.conf under $HOME/etc/system/local

[WinEventLog:Security]
host=x.x.x.x

but is there any way I can apply this through the deploy server ? or any other ways that can send its own source IP to the server?

Regards,

Joseph Woo

watsm10 · ‎10-15-2013

There's no easy way to edit system/local using the deployment server. You will have to manually delete the inputs.conf and outputs.conf files from system/local and point your forwarder to your deployment server (by editing the deploymentclient.conf file) and restarting Splunk.

From there, you can edit the serverclass.conf file on your deployment server (which will store all of the names of your servers which has forwarders on them.)

Then you can create a simple app in etc/deployment-apps consisting of an inputs.conf and outputs.conf file (similar to what you already had on your forwarder, but you will be able to control this remotely without messing around with the forwarder).

To make sure the forwarder uses IP address, use connection_host=IP as an option for your [WinEventLog:Security] stanza in the inputs.conf file in your app.

Once the app has been created, you will use the "splunk reload deploy-server" command to send the app to your forwarder.

View solution in original post

watsm10 · ‎10-15-2013

There's no easy way to edit system/local using the deployment server. You will have to manually delete the inputs.conf and outputs.conf files from system/local and point your forwarder to your deployment server (by editing the deploymentclient.conf file) and restarting Splunk.

From there, you can edit the serverclass.conf file on your deployment server (which will store all of the names of your servers which has forwarders on them.)

Then you can create a simple app in etc/deployment-apps consisting of an inputs.conf and outputs.conf file (similar to what you already had on your forwarder, but you will be able to control this remotely without messing around with the forwarder).

To make sure the forwarder uses IP address, use connection_host=IP as an option for your [WinEventLog:Security] stanza in the inputs.conf file in your app.

Once the app has been created, you will use the "splunk reload deploy-server" command to send the app to your forwarder.

watsm10 · ‎10-16-2013

OK. If you have an automated way (we use blade logic), you can set up a job to remove the inputs.conf and outputs.conf files from your forwarders and add a deploymentclient.conf file with the details of your deployment server (see splunk docs), then trigger a restart. If you don't have an automated way to do this, you will have to do the same thing manually... 😞

hswoo2000 · ‎10-15-2013

both 2003 and 2008.......I need to check with my colleague how they deployed the all forwarders in the first place...but let's suppose two ways that we both have a tool for the automation and we don't have it....any difference?

watsm10 · ‎10-15-2013

What operating system are your forwarders running on? Do you have an automated way of installing the forwarders? i.e. how did you install on 500 servers in the first place?

hswoo2000 · ‎10-15-2013

thanks very much for your comments!!
To manually delete the inputs.conf and outputs.conf files from system/local means that I should log in to 500 clients and delete them indivisually?? or any other easier ways?

How to modify some configurations in the input.conf of universal forwarder through deployment server

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life