Subsequently, an nf configuration is configured in …/lab_inputs_linux_messages/local/nf with the content: Īdditionally, we will copy the existing created Splunk app: cp -R lab_inputs_linux_messages/ lab_inputs_linux_secureĪnd then change the nf configuration under …/lab_inputs_linux_secure/local/nf with the content: įurthermore, an nf configuration is needed. The minimal structure needed for an Splunk app is a folder with the name of the app in /opt/splunk/etc/deployment-apps/ and a subfolder with the name local or default (for an own app, I recommend local): mkdir lab_inputs_linux_messages In order to configure a deployment server, you simply need to put some apps under /opt/splunk/etc/deplyoment-apps/. I recommend to have one dedicated deployment server (if you don’t have other constraints, which doesn’t allow it). Prepare the Splunk deployment serverĮvery Splunk Enterprise instance can be configured to be a deployment server. That was enough theory, let’s start to configure Splunk. monitor /var/log/messages and /var/log/secure.These apps are combined to a single server class called lab_universal_forwarder, which is a class for all deployment clients sharing the characteristics: lab_disable_management_port: contains a nf configuration to disable the management port of an universal forwarder.lab_outputs: contains a nf configuration to forward the data to an indexer.lab_inputs_linux_secure: contains an nf configuration for monitor /var/log/secure.lab_inputs_linux_messages: contains an nf configuration for monitor /var/log/messages.We will use the following Splunk deployment apps: The logs needs to be forwarded to a Splunk Indexer and furthermore, the management port should be disabled for security purpose. The goal of this tutorial is to manage remotely the configuration of a single Universal Forwarder (it could be also 1000 without a problem), which should collect the logs of /var/log/messages and /var/log/secure. Subsequently, use a server class with different combinations of deployment apps to easily manage your Splunk infrastructure. For example, a group of linux universal forwarder collecting the logs of /var/log/messages can be configured using a single server class.īest practice for deployment apps and server class structure are to keep the amount of configurations in a single deployment app as low as possible. A server class is a group of deployment clients, which share the same characteristics. It can contain only a single configuration file such as nf or multiple configuration files. A deployment app is a set of configurations. The deployment clients are configured by the deployment server using deployment apps and server classes. Splunk instances, which are remotely managed by a deployment server, are called deployment clients. Even though a deployment server can used to manage any Splunk instance. The main focus of a Splunk deployment server is to manage the configurations of Universal Forwarder (UF) and Heavy Forwarder (HF). With a Splunk deployment server and a good apps / server class structure, it can be easy to manage thousands of Splunk instances. Therefore, I decided to write this blog post.Ī Splunk deployment server is used for distribution of content and configurations. I already see a lot of Splunk deployments with a terrible app and server class structure, which makes it very difficult to manage the Splunk infrastructure. In this blog post, I will introduce the Splunk Deployment Server and give some best practice recommendations for apps and server class structure.
0 kommentar(er)
