Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Deployment server not seeing FQDN

echalex
Builder
‎10-01-2012 12:23 AM

Hi,

I have a bit of problem with seeing the host name as FQDN. This is a problem both in the deployment server and the *NIX app. I noticed previously that the Deployment monitor wasn't seeing the FQDN, but that got fixed by this command on each forwarder:

splunk set servername $(hostname -f)

I noticed that this only changed etc/system/local/server.conf and not etc/system/local/inputs.conf. The change was visible in the Deployment Monitor, but not the Deployment Server or the *NIX app. So, I changed etc/system/local/inputs.conf too:

[splunk@splunk-uf-01 splunkforwarder]$ find etc -name \*.conf |xargs grep $(hostname -s)
etc/system/local/inputs.conf:host = splunk-uf-01.dom.ain.tld
etc/system/local/server.conf:serverName = splunk-uf-01.dom.ain.tld

But this change is still not visible in the Deployment Server:

[splunk@splunk-dep-srv ~]$ splunk list deploy-clients |grep hostname:  |grep uf-01
         hostname:       splunk-uf-01

This is a problem since some of my server classes rely on the FQDN. It is also annoying that the hostnames seen by the deployment server are mixed, ie. sometimes with the FQDN and sometimes without.

Any help would certainly be appreciated.

0 Karma
Reply

Drainy
Champion
‎10-01-2012 01:36 AM

May be a silly point but did you restart the forwarder after making the changes? Also is the hostname for the box itself correct?

Some good debug to do could be to check there are no more instances of the incorrect hostname by running the following command on your UF's;
(In $SPLUNK_HOME/bin/)

./splunk cmd btool server list --debug AND

./splunk cmd btool inputs list --debug

This will list all the config options from each of those config files, add a >> output.txt to the end so you can dump the output to a file and search that for any more occurances of the hostname. Its possible its defined elsewhere and overriding your current settings.

Reply

echalex
Builder
‎10-01-2012 07:21 AM

Here's what etc/system/local/inputs.conf looks like:

[default]
host = indexer-11.dom.ain.tld

[splunktcp-ssl:9996]

[SSL]
password = verysecret
requireClientCert = true
rootCA = /opt/splunk/etc/auth/cacert.pem
serverCert = /opt/splunk/etc/auth/server.pem
0 Karma
Reply

Drainy
Champion
‎10-01-2012 07:11 AM

you can define the hostname in the inputs.conf on the indexer side too, I was wondering if you'd checked if that had been defined?

0 Karma
Reply

echalex
Builder
‎10-01-2012 07:08 AM

How do you mean exactly? Do you mean "are we using hostname-based whitelists"? If so, the answer is no, the listen port is open to all.

0 Karma
Reply

Drainy
Champion
‎10-01-2012 03:35 AM

Is the host defined on the indexer itself in its inputs?

0 Karma
Reply

echalex
Builder
‎10-01-2012 03:31 AM

Thanks, Drainy.

Yes, I restarted the computer and printer before calling helpdesk. 😉 Joking aside, I restarted the universal forwarder and the the deployment server for good measure, but it didn't make a difference, I'm afraid...

The btool commands are useful and basically confirm that the FQDN is used throughout the configuration.

Any chance that the first version of the name is cached somewhere? I've only tried grepping *.conf and *.csv files on both the forwarder and deployment server.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...