Getting Data In

How is deployment of universal forwarders on AWS servers being done? Ideas needed.

theouhuios
Motivator

Hello

Since many companies are moving towards cloud based servers how can we handle splunk UF deployment on cloud servers which come and go all the time? We were able to deploy the UF and send a linux app to them which works fine. But how are people deploying application related configs?

Since its not a standalone box, they have to automatically get the apps defined in serverclass. How are Splunk Admins handling this? Lets say a new box is spun up and it has 4-5 applications installed on it by the Unix team. How do you tell your UF to update itself with the configs for those applications?

We are trying out a method of tagging each application and using clientName to do this ( which has to be updated when ever a new application is installed). Any other ways people are doing it. Please share your views and ideas.

Lucas_K
Motivator

"We are trying out a method of tagging
each application and using clientName
to do this ( which has to be updated
when ever a new application is
installed)."

You shouldn't need to add clientNames for already existing classes for new apps. Just add an extra line into the same class pointing at the new app name(you don't need an extra class per app!).

Define your classes using wild cards and you can mix and match your apps based off a combination clientname.

Example classes.

You could have separate classes with separate apps or combine them into groups.

[serverClass=linux]
blacklist.0= *
whitelist.0=linux_*
[serverClass:linux:app:Splunkfornix]
[serverClass:linux:app:someothernix_app]

[serverClass=web_server]
blacklist.0= *
whitelist.0=*_web_server
[serverClass:web_server:app:Splunkforapache]
[serverClass:web_server:app:someotherweb_app]

[serverClass=database]
blacklist.0= *
whitelist.0=*_database]
[serverClass:database:app:SplunkforOracle]
[serverClass:database:app:someotherdb_app]


server #1 clientName "linux_web_server"
Apps.
Splunkfornix
someothernix_apps
Splunkforapache
someotherweb_app

server#2 clientName "linux_database"
Apps
Splunkfornix
someothernix_apps
SplunkforOracle
someotherdb_app

You can do as many of these as you like so you can use the clientName as the key to what groups of apps you get.

0 Karma

starcher
SplunkTrust
SplunkTrust

clientName or using a well defined hostname pattern you can match on is the best way to automatically assign apps. So best to ensure your systems set a good fqdn hostname prior to first time Splunk runs. Otherwise the current hostname at the time gets cached in $SPLUNK_HOME/etc/system/local/inputs.conf in the default stanza. You would need to update that and restart the UF.

Lucas_K
Motivator

+1 to the clientName option.

We also use clientName filtering. Aslong as the deployment client gets the deployment server ip and a matching client name then they will get all the appropriate apps. You can add as many clients as you want without having to make any deployment server changes. This is by far the fastest & simplest method for deployment.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...