Getting Data In

How to automate Splunk forwarder configurations for server.conf?

fd26645
Path Finder

I'm trying to write a script to change the local/server.conf settings in a large number of splunkforwarders. Mainly I am trying to disable SSL settings so that they stop showing up in security scans.

I am finding this to be extremely challenging. I am getting a lot of sed errors due to the sslKeysfilePassword containing special characters. I want to change/add settings but if a setting doesn't exist I need to insert it in the correct section.

I can't help but think there must be a better way to manage this. I have a large number of splunkforwarders and editing server.conf manually on each one is going to be a huge chore. I have heard mention of the deployment manager or something like that but also have read that it doesn't manage the server.conf file.

--Edit--
If there were a splunk CLI command that would change the specific settings that would solve my problem also I don't think it exists unfortuantly. Like splunk configure set allowSslCompression = false That way I could easily change the setting I want to change without having to worry about the format of the config file.

0 Karma
1 Solution

fd26645
Path Finder

Scripting the configuration of the server.conf file becomes much simpler when you set sslKeysfilePassword = password

Then you can just use a heredoc to set the file the way you want it.

View solution in original post

0 Karma

fd26645
Path Finder

Scripting the configuration of the server.conf file becomes much simpler when you set sslKeysfilePassword = password

Then you can just use a heredoc to set the file the way you want it.

0 Karma

masonmorales
Influencer

I would recommend setting up a deployment server and configuring your universal forwarders as deployment clients. You can use the deployment server to update the server.conf files on every forwarder (or set of forwarders), along with every other configuration file on the forwarders, all without ever having to login to the forwarders.

Here are some resources to get your started:
About deployment server and forwarder management
Wiki: Deployment Server
Configure deployment clients
Plan a deployment

0 Karma

fd26645
Path Finder

From what I have read so far the deployment server will only manage apps located under $SPLUNK_HOME/etc/apps. But the server.conf file is located under $SPLUNK_HOME/etc/system/local.

0 Karma

musskopf
Builder

Wouldn't be better to instead of editing the file, simply replace with a new version? Or at least a couple of standard versions of this file?

If you have that big number of server, an orchestration tool might help as well 😉

0 Karma

fd26645
Path Finder

If I replace with a new file I need to preserve the hostname and the ssl key password and that is difficult to do via script. the ssl password in particular contains special characters that need to be escaped for use with sed. Since the key is different for each forwarder I can't be sure which characters will need to be escaped and the sed command fails.

0 Karma

satishsdange
Builder

Did you try deployment server? You can use that for pushing/edit configurations.

0 Karma

fd26645
Path Finder

From what I have read so far the deployment server will only manage apps located under $SPLUNK_HOME/etc/apps. But the server.conf file is located under $SPLUNK_HOME/etc/system/local.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...