Getting Data In

How to edit local a universal forwarder configuration that was pushed via deployment server?

nbowman
Path Finder

I use my deployment server to deploy the Splunk Add-on for Microsoft Windows to Universal Forwarders.

Splunk_TA_windows/
├── default
│   └── inputs.conf #unchanged defaults
├── local
│   └── inputs.conf #edited

I enabled the Security log in local/inputs.conf, like:

[WinEventLog://Security]
disabled = 0

Everything works great. However, I have one user that wants to enable a few things. Let's say that he wants to:

[WinEventLog://Application]
disabled = 0

Where would he make that change? Wouldn't the deployment server overwrite Splunk_TA_windows/local/inputs.conf if he made the change there?

0 Karma

Runals
Motivator

Not sure I'm following all of your app/local/ stuff. The reason I say that is you will need to become familiar with is the order of precedence for Splunk components. When the agent first starts up it will read through the $SPLUNK_HOME/etc/system/default directory, move up to $SPLUNK_HOME/etc/apps/default, move to $SPLUNK_HOME/etc/apps/local, then back to $SPLUNK_HOME/etc/system/local. In the case of competing configs the last one read in wins. If a user makes a change in /etc/system/local there is nothing you can push from your deployment server that will override the setting - short of a script that makes a change to /etc/system/local.

The local Windows TA installed on the UFs should be in the /etc/apps folder so I'd push a package starting with 00 to make it 'win' over what is there now if you want to control changes the user makes. The app name doesn't have to match you just need a matching monitor statement name. Hope that helps.

ryangrobbel
Explorer

You can do it locally under /etc/system/local/inputs.conf. This won't be overridden. This is assuming you haven't defined it in the TA's inputs.conf (the one you're pushing out) as disabled.

0 Karma

nbowman
Path Finder

If I enabled in system/local with:

[WinEventLog://Security]
disabled = 0

Would the configs in Splunk_TA_windows/default/inputs.conf be applied?

[WinEventLog://Application]
disabled = 1-> 0
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=false

Or will he have to copy/paste all that into system/local?

0 Karma

ryandg
Communicator

Those are two entirely different stanzas so they do not impact each other. Adding a new stanza to etc/system/local will only modify pre-existing stanzas if the stanzas are the same.

For example if you added a stanza like

[WinEventLog://Security]
disabled = 1

to etc/system/local this would override your deployment client's inputs.conf and effectively disable the collection on that box.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...