Getting Data In

How come our forwarder is not getting configuration from deployment server?

Ajinkya1992
Path Finder

Hello Everyone,

I have set up my own test environment where I have my deployment server (DS) on Windows with Splunk 7.2.3.

I have configured the server class and apps on the DS, and also, I have mapped SC with the client as well.

Then I placed my inputs.conf and outputs.conf files on repository location.

($SplunkHome\etc\deployment-apps-UF1\local\

Now, once everything is done, my forwarder is receiving UF1 & local folder along with app.conf, which is the auto-generated file at \SplunkUniversalForwarder\etc\apps\UF1\local.

I am not sure if the forwarder is getting this many details, then what is the exact issue that it is not getting inputs and outputs.conf?

Can you please assist what exactly I need to troubleshoot

inputs.conf
[monitor://C:\abc\tmp\access_30Days.logs]
index = weblogs

Outputs.conf
[tcpout:xyz]
server : x.x.x.x:9997, z.z.z.z:9997

0 Karma
1 Solution

dkeck
Influencer

HI,

So deploymentclients.conf is working? client is phoneing home?

in the _internal you should see if your forwardes is downloading the app from your deplyoment server or not.

Just search for the name of your app.

PS: $SplunkHome\etc\deployment-apps-UF1\local\ Is there just a slash missing or is your folder named "deployment-apps-UF1"?. That would be wrong

View solution in original post

0 Karma

dkeck
Influencer

HI,

So deploymentclients.conf is working? client is phoneing home?

in the _internal you should see if your forwardes is downloading the app from your deplyoment server or not.

Just search for the name of your app.

PS: $SplunkHome\etc\deployment-apps-UF1\local\ Is there just a slash missing or is your folder named "deployment-apps-UF1"?. That would be wrong

0 Karma

Ajinkya1992
Path Finder

Hi dkeck,
Thanks for your response.
Yes, I can see my deploymentclient.conf is perfect because it is auto-generated as once I have installed forwarder at that time only have provided DS IP. Even client phoning also works perfectly which is a few seconds ago.
sorry for this ($SplunkHome\etc\deployment-apps-UF1\local) as it is typo it is like this $SplunkHome\etc\deployment-apps\UF1\local

Regarding downloading the app - yes I can see in _internal on DS that it is downloading the app but the interesting thing is checksum is not at all getting changed for all actions like install, download. I even uninstalled app twice but still on installed checksum is exactly same

Also, I was exploring more _internal index I could see two types of events repeatedly:
1) WARN Application - There might be some btool errors in the app at C:\Program Files\Splunk\etc\deployment-apps\UF1, Deployment Clients receiving this app might not start up. We recommend fixing these errors and reloading the serverclass

2) ERROR Archiver - Failed to open file= "C:\Program Files\Splunk\etc\deployment-apps\UF1\local\inputs.conf" : Access is denied
ERROR Archiver - Failed to open file= "C:\Program Files\Splunk\etc\deployment-apps\UF1\local\outputs.conf" : Access is denied

Is it something related to permissions?
@woodcock -- Do you have any suggestion on this?

0 Karma

dkeck
Influencer

Nr 2) definitely sounds like a permission issue, please check recursive if all the permissions in your deployment-apps and UF1 app are correct. Meaning splunk user has access to them.

Could be that you uploaded the inputs via external, and it has permissions for root only etc.

Ajinkya1992
Path Finder

Yep. It was related to the permission issue. The user which I was logged in was unable to open inputs.conf and outputs.conf

Thanks for your help guys !!!1
Cheers !!!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...