Deployment Architecture

Using Splunk deployment server to deploy apps to fwd servers

brent_weaver
Builder

Good morning. I inherited an enterprise Splunk env. We have 4 index servers, a lic server and a deployment server. I find this configuration much more difficult than a stand alone config. How do I utilize the deployment server to deploy apps the fwd clients?

I am finding spunk documentation to be sparse and scattered and quite honestly horrible!!! So any help is much appreciated!

Tags (1)
0 Karma

woodcock
Esteemed Legend

You should already have an app that contains an outputs.conf so you will add your forwarder to this serverclass so that he knows where to send his stuff. Then all your new app needs is an inputs.conf file and you should be good to go.

0 Karma

brent_weaver
Builder

What is the bare min i need to deploy an app that logs /var/log/messages?

0 Karma

brent_weaver
Builder

Here is a log file from my Linux forwarder I installed:
Script started on Sun 19 Jul 2015 08:08:14 PM EDT
/root/dev/packages # ls
splunkforwarder-6.2.4-271043-linux-2.6-x86_64.rpm
/root/dev/packages # rpm -iv splunkforwarder-6.2.4-271043-linux-2.6-x86_64.rpm
warning: splunkforwarder-6.2.4-271043-linux-2.6-x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 653fb112: NOKEY
Preparing packages...
splunkforwarder-6.2.4-271043.x86_64
complete
/root/dev/packages # which splunk
/opt/splunkforwarder/bin/splunk
/root/dev/packages # splunk start --accept-license

This appears to be your first time running this version of Splunk.

Splunk> Take the sh out of IT.

Checking prerequisites...
Checking mgmt port [8089]: open
Creating: /opt/splunkforwarder/var/lib/splunk
Creating: /opt/splunkforwarder/var/run/splunk
Creating: /opt/splunkforwarder/var/run/splunk/appserver/i18n
Creating: /opt/splunkforwarder/var/run/splunk/appserver/modules/static/css
Creating: /opt/splunkforwarder/var/run/splunk/upload
Creating: /opt/splunkforwarder/var/spool/splunk
Creating: /opt/splunkforwarder/var/spool/dirmoncache
Creating: /opt/splunkforwarder/var/lib/splunk/authDb
Creating: /opt/splunkforwarder/var/lib/splunk/hashDb
New certs have been generated in '/opt/splunkforwarder/etc/auth'.
Checking conf files for problems...
Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...

Generating a 1024 bit RSA private key
...........++++++
...........++++++

writing new private key to 'privKeySecure.pem'

Signature ok
subject=/CN=devopslinux/O=SplunkUser
Getting CA Private Key
writing RSA key
Done
[ OK ]
/root/dev/packages # splunk enable boot-start
Init script installed at /etc/init.d/splunk.
Init script is configured to run at boot.
/root/dev/packages # splunk set deploy-poll 10.11.0.4:9997
Your session is invalid. Please login.
Splunk username: admin
Password:
Configuration updated.
You need to restart the Splunk Server (splunkd) for your changes to take effect.
/root/dev/packages # service splunk restart
Restarting splunk (via systemctl): [ OK ]
/root/dev/packages # exit
exit

Script done on Sun 19 Jul 2015 08:13:51 PM EDT
/root #

What am I missing? This node is not showing up as a client in forwarder management.

Thanks!

0 Karma

brent_weaver
Builder

Thank you all for responding... I still cannot get this to work. Is there a place I can read about this from start to finish?

How do I get my linux server to show up as a forwarder? I have installed the fwd on linux w/o incident and set it up spunk set-deploy 10.11.0.4:9997.

Any help is MUCH appreciated.

0 Karma

acharlieh
Influencer

That could be your problem. 9997 is typically the port used to send data to Splunk for indexing. deployment server runs as part of the management port (aka the Splunk API port) which is by default port 8089.

0 Karma

brent_weaver
Builder

I changed the port and reinstalled the whole thing and this still does not work. If I started out of the box to set this up is there ONE place I can look for a full configuration of Splunk? I am more than certain it is something I am doing wrong, problem is the documentation is a rat race to find anything. So scattered. Sorry I am just frustrated.

0 Karma

MuS
SplunkTrust
SplunkTrust
0 Karma

woodcock
Esteemed Legend

Assuming that everything is setup correctly, to deploy a new app to forward new data in from existing forwarders (you really should be more specific about what you are trying to do, what you have tried, and what errors or problems you are having), you just create a new app on the DS in a spot like $SPLUNK_HOME/etc/deployment-apps/MyApp/. Be sure to have the appropriate inputs.conf, props.conf and transforms.conf, at a minimum. Then create a new serverclass and add to it all the forwarders that should get the new app. Lastly force DS to recognize (and act upon) your changes with this command:

 $SPLUNK/HOME/bin/splunk reload deploy-server

Here are a few links that you may not have tried:
http://docs.splunk.com/Documentation/Splunk/6.2.4/Updating/Createdeploymentapps
http://docs.splunk.com/Documentation/Splunk/6.2.4/Updating/Updateconfigurations
https://www.youtube.com/watch?v=3i3Sz3aPrts

0 Karma

pradeepkumarg
Influencer

You will have to configure serverclass.conf on the deploy server to define your deploymentclients(forwarder servers) and place the desired apps under deployment-apps and target those apps against the defined serverclass

http://docs.splunk.com/Documentation/Splunk/6.2.4/Admin/Serverclassconf

Once your configs are ready, you issue the below command and the clients will get the apps that they need

./splunk reload deploy-server

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...