- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Customer wants to manage forwarders with deploymen...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Customer wants to manage forwarders with deployment server but we need to insist the batch ingest directory is locked
I've read (https://docs.splunk.com/Documentation/Splunk/latest/Admin/Wheretofindtheconfigurationfiles) that the precedence
of a given copy of the inputs.conf is:
1. System local directory -- highest priority
2. App local directories
3. App default directories
4. System default directory -- lowest priority
The issue is we want to control the ingest directory for "batch:" mode to just one particular directory and even though we will have the deployment server activated, we don't want it to be able to add or change that directory. So for example if my $SPLUNK_HOME/etc/system/local/inputs.conf only contains this:
[batch:///path/to/directory/*.ext]
disabled = 0
recursive = false
move_policy = sinkhole
I do not want the admins on the deployment server to be able to do any of:
1) add another monitor or batch ingest from any other directory path than /path/to/directory/*.ext (which is set in the system local copy)
2) edit the system/local/inputs.conf batch: entry to a different path or make it a monitor (or edit it at all).
I was originally thinking that simply having a inputs.conf in $SPLUNK_HOME/etc/system/local/inputs.conf would be enough to lock this down but then this in the docs concerns me:
Splunk first uses the attributes from any copy of the file in system/local.
Then it looks for any copies of the file located in the app directories,
adding any attributes found in them, but ignoring attributes already
discovered in system/local. As a last resort, for any attributes not
explicitly assigned at either the system or app level, it assigns
default values from the file in the system/default directory.
What defines an "attribute"? Suppose an inputs.conf is added by the deployment server to SPLUNK_HOME/app/myapp/inputs.conf
containing
[batch:///path/to/some/other/directory/*.ext]
disabled = 0
recursive = false
move_policy = sinkhole
is that a different 'attribute' because the path is different? What I really want is for the SPLUNK_HOME/etc/system/local/inputs.conf to be the one and only place it can get ANY ingest directory to get files to go to the indexer. So is there a way to lock that down?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the stanzas are the same, priority will be a problem.
The following stanzas are different.
[batch:///path/to/directory/.ext]
[batch:///path/to/some/other/directory/.ext]
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
