lab_outputs: contains a nf configuration to forward the data to an indexer. lab_inputs_linux_secure: contains an nf configuration for monitor /var/log/secure. lab_inputs_linux_messages: contains an nf configuration for monitor /var/log/messages. We will use the following Splunk deployment apps: The logs needs to be forwarded to a Splunk Indexer and furthermore, the management port should be disabled for security purpose. The goal of this tutorial is to manage remotely the configuration of a single Universal Forwarder (it could be also 1000 without a problem), which should collect the logs of /var/log/messages and /var/log/secure. Subsequently, use a server class with different combinations of deployment apps to easily manage your Splunk infrastructure. For example, a group of linux universal forwarder collecting the logs of /var/log/messages can be configured using a single server class.īest practice for deployment apps and server class structure are to keep the amount of configurations in a single deployment app as low as possible. A server class is a group of deployment clients, which share the same characteristics. It can contain only a single configuration file such as nf or multiple configuration files. 
A deployment app is a set of configurations. The deployment clients are configured by the deployment server using deployment apps and server classes. Splunk instances, which are remotely managed by a deployment server, are called deployment clients. Even though a deployment server can used to manage any Splunk instance. The main focus of a Splunk deployment server is to manage the configurations of Universal Forwarder (UF) and Heavy Forwarder (HF).
With a Splunk deployment server and a good apps / server class structure, it can be easy to manage thousands of Splunk instances. Therefore, I decided to write this blog post.Ī Splunk deployment server is used for distribution of content and configurations. I already see a lot of Splunk deployments with a terrible app and server class structure, which makes it very difficult to manage the Splunk infrastructure. In this blog post, I will introduce the Splunk Deployment Server and give some best practice recommendations for apps and server class structure.
0 kommentar(er)
