Deployment Architecture

Why is deployment server ignoring inputs.conf and server.conf settings for host and serverName?

colbym
Engager

Due to automation constraints, we can't change the actual hostname on the Linux box, and they are replaced with different IP/hostname each morning. I can set the hostname in the local inputs.conf, and server.conf, but that still does not cause the DS to deploy the app, even though it correctly labels the events with the assigned host name that are sent by the default all_clients apps.

I have to manually add the new IP to the clients list to get the other app to install, and after that i get events in the index with the desired hostname.

Somehow DS only recognizes the actual Linux host name for deployments and ignores the settings in inputs.conf and server.conf

How can I force the app to be installed other than the native linux host name? This app is only for a few servers out of hundreds.

0 Karma

woodcock
Esteemed Legend

Don't use DNS/hostnames at all, give each box a splunk-specific hostnamish name that never has to change. The dox here:
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Deploymentclientconf

Say this:

clientName = deploymentClient
* Defaults to deploymentClient.
* A name that the deployment server can filter on.
* Takes precedence over DNS names.

So do:

clientName = DBServer1234

And use that in your DS whitelist/blacklist.

0 Karma

sbattista09
Contributor

Are these VMs?

0 Karma

colbym
Engager

Yes they are VMs.

I think I found a workaround by setting the desired name in deploymentclient.conf

I manually added it and restarted services and deployment server picked it up and sent the app.

Final test is to see if adding that to automation process will allow hands off app install when deployed.

0 Karma

sbattista09
Contributor

cool, so when i work with VM's I black list the VM they build the golden image on and then and white list the ones you want to manage via the deployment server. (i only place the deploymnetclient.conf file on the golden image) You also should be running ./splunk clone-prep-clear-config on the golden image, this will remove the server names and other unique things. also setting the app to auto restart when the clients check in and grabs the updated apps will be needed, its just a check mark box in the dep server

https://docs.splunk.com/Documentation/Forwarder/7.2.5/Forwarder/Makeauniversalforwarderpartofahostim...

One thing to be aware of is... The "check sum" in the .conf files can "out of sync" if you deploy .conf files via SCCM or have them set in the golden image.

We found this out the hard way with SCCM, none of our deployment files were applying because they looked the same on the deplyer and i assume the UF would say " yah i am good so no need to update my files... ever again." we fix by adding a comment like #FROM SCCM and then when they check in it over writes the .conf files.

hope this helps!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...