Hi,
Is it possible to have a custom REST endpoint that executes scripts on a universal forwarder?
Not going that route seems like the right approach. There is usually a good reason that certain scenarios are not covered in the security guide
https://docs.splunk.com/Documentation/Splunk/6.5.0/Security/Hardeningstandards
I agree with all three comments above.
The answer is no you can't do it on a universal forwarder, you could do it on a heavy forwarder, and be careful that you do it with security in mind. Bmacias84 gave some great info on settings you should consider if you do this with a heavy forwarder.
What you could do is execute scripts via scripted inputs and deploy those via the deployment server.
If you want to do this I would suggest using a HF and extend the Splunk Rest endpoints with restmap.conf. restmap.conf supports requireAuthentication settings.
I am wondering the same. Since the handling seems to be done by $SPLUNK_HOME/bin/rest_handler.py i think it will n ot work since there is no python on a universal forwarder.
I have a script that i would like to expose as a custom rest endpoint but i get a 400/bad request as a reply.
If there is any, I'd be very careful about exposing it. Properly securing that endpoint would be an interesting challenge.