Solved: Several apps - outputs.conf for each one?

msarro · ‎05-14-2013

Hi everyone. I am trying to figure out how to best approach a deployment server.

We are using encryption between our forwarders and indexers. In a perfect world I could create an app which would be placed on every forwarder which would contain nothing but an outputs.conf file, the CA and forwarder certificate. However if I do this, will those settings be applied for every single app deployed on those systems?

If not, does every app placed on a forwarder need to have its own certificate settings?

Just unsure about the proper way to proceed here. The goal is to make it so that when we have to replace the certificates, we have as few modifications to make as possible. It's easier to troubleshoot one app than to troubleshoot 20+ apps.

kristian_kolb · ‎05-14-2013

Yes, that can be done. The usability of the approach is highly dependent on having the same forwarder certificate for all forwarders.

When doing this from scratch:
1. Create a deployement-app containing the outputs.conf and the pem's.
2. Create a new serverclass to match any host, and assign the forwarding app to the class.
3. Reload the Deployment Server config.
4. Install a forwarder, make sure that you only specify the ip:port of the Deployment Server, all other configs (i.e. what to monitor, and where to send it) should come through the DS.
5. Restart the forwarder.

when the certs expire, you should be able to change the app (new pems/password) and all forwarders should be good to go.

Watch out so that you don't push this conf to already configured and working forwarders. On those existing forwarders, you could have settings outside the scope of what can be controlled through the DS, so you might have to manually remove, e.g. outputs.conf from etc/system/local or certificates from /etc/certs.

set up a test rig and play around.

Hope this helps,

Kristian

View solution in original post

kristian_kolb · ‎05-14-2013

Yes, that can be done. The usability of the approach is highly dependent on having the same forwarder certificate for all forwarders.

When doing this from scratch:
1. Create a deployement-app containing the outputs.conf and the pem's.
2. Create a new serverclass to match any host, and assign the forwarding app to the class.
3. Reload the Deployment Server config.
4. Install a forwarder, make sure that you only specify the ip:port of the Deployment Server, all other configs (i.e. what to monitor, and where to send it) should come through the DS.
5. Restart the forwarder.

when the certs expire, you should be able to change the app (new pems/password) and all forwarders should be good to go.

Watch out so that you don't push this conf to already configured and working forwarders. On those existing forwarders, you could have settings outside the scope of what can be controlled through the DS, so you might have to manually remove, e.g. outputs.conf from etc/system/local or certificates from /etc/certs.

set up a test rig and play around.

Hope this helps,

Kristian

msarro · ‎05-15-2013

That's exactly what I was looking for now I can just leave the older boxes alone, and eventually move them over to using the deployment server without too much impact to service. It's good to know that you can make an app with nothing more than an outputs.conf file.

Several apps - outputs.conf for each one?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor