- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to update a bunch of forwarders that already u...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to update a bunch of forwarders that already use non-SSL to use SSL
Hi,
I have a bunch (~100) of forwarders that are using Splunk, but my customer has asked me to enable SSL. I know how to configure that piece. These forwarders are configured using the Deployment Server, and have a server class that utilizes a non-SSL outputs.conf. So, my question is, how do I update these forwarders without having to go in and remove each server from the non-SSL server class (which would be manual, and a PITA). Can I add an outputs.conf to the app that handles the monitoring? If the inputs and outputs were bundled, would that outputs.conf take precedence? Or is that a bad practice?
Update: What if I added these servers to the blacklist associated with the non-SSL outputs serverclass? Does a blacklist take precedence over a whitelist in the deployment server?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Apologies if I over simplify this:
I assume you have an input on the indexers for SSL and another for non SSL already.
You should have two apps: forwarder_ssl and forwarder_nonssl (I made up these names to explain this).
forwarder_ssl obviously has the configuration (output.confs) for ssl related forwarding.
forwarder_nonssl has the inverse. Outputs.conf for nonssl forwarding.
So just comment out the serverclass.conf definition for the nonssl part and set the SSL one to be blacklisted for your indexers (so it matches EVERYTHING but indexers). Then everyone is using the SSL forwarder config.
Precedence in app configuration goes in reverse order. So, an app 'z' is loaded first, but then overwritten by an app 'a' with matching configuration. That only matters for stanzas that are the same name. I don't think that's relevant here, just good to know.
I lost you on the outputs.conf that "handles the monitoring" and what inputs and outputs you would bundle in this scenario.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Burch, but I don't want everyone using SSL. That's too big of a change.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use two server classes and whitelist the appropriate group of forwarders depending on the SSL preference. Apply the SSL apps to the corresponding server class and voila.
You can even keep all of your forwarders in the non-SSL server class to begin with and add them to the SSL server class slowly so you can monitor this change easily. (Test in your lab too!)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Anyone? Bueller?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you enabling SSL universally, or just for a specific subset of forwarders? How do you deploy your outputs.conf today? Is it in its own app?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's just for a subset of forwarders. Our outputs gets pushed via an app on the deployment server.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
