Solved: Re: How do we standardize configs across thousands...

Dimitri_McKay · ‎01-04-2013

It does not appear that there's any way to do host templating. We have 1000s of servers, many of which are based off of server profiles (e.g., Linux web server) with standardized configs. If we wanted to add a new monitor to 120 servers of a certain class, how could we accomplish that?

Dimitri_McKay · ‎01-04-2013

This is EXACTLY what the Deployment Server is built for. So, to do mass configuration, you can use any mass config tool you typically would use (say puppet or chef or Altiris or ...) but if you do, you'll need to restart the UniversalForwarder to get it to reread the configs and start pushing. However, if you use DeploymentServer, that happens for free. Just modify the templates and magically new data flows in.

View solution in original post

Dimitri_McKay · ‎01-04-2013

This is EXACTLY what the Deployment Server is built for. So, to do mass configuration, you can use any mass config tool you typically would use (say puppet or chef or Altiris or ...) but if you do, you'll need to restart the UniversalForwarder to get it to reread the configs and start pushing. However, if you use DeploymentServer, that happens for free. Just modify the templates and magically new data flows in.

yannK · ‎01-04-2013

I would also add that :

deployment servers should be dedicated splunk instances (otherwise the client connections kills the performance) (ps on linux you can run another splunk instance on the same box if you change the ports)
a single deployment server can handle up to 500 clients, so for larger deployments, use multiple deployment servers (you can cascade them)

How do we standardize configs across thousands of servers?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases