Module 6: Forwarder Management Flashcards
A ___ is the tool for managing remote Splunk instances centrally.
deployment server
___ is a graphical interface built on top of the deployment server
forwarder management
Why use forwarder managment?
- Centralised – handle thousands of forwarders from one system
- Distribute configuration files
- Monitor the availability of forwarders and restart them remotely
What is a Splunk deployment server?
- A tool to manage Splunk conf files
- Splunk Enterprise license is require
- Can be accessed via Splunk web
- Keep a dedicated server for deployment server
- Cannot be used for installing/upgrading forwarders
What is a deployment app?
- Mechanism to distribute configuration files to forwarders
- App must adhere to standard app directory structure
- It can contain configuration files, scripts, views and other resource
- On the DS, apps are stored in $SPLUNK_HOME/etc/deployment-apps
- On the forwarders, apps will be deployed in $SPLUNK_HOME/etc/apps
How do you set up a deployment server?
- Create at least one app in $SPLUNK_HOME/deployment-apps
* Forwarder management UI is not activated until a deployment app is found
How do you set up a deployment client?
- Forwarders must be setup as deployment client
- Primary configuration file is deploymentclient.conf
- Can use command ./Splunk set deploy-poll :8089
- Deploymentclient.conf is located in $SPLUNK_HOME/etc/system/local
Name the customisations of the deploymentclient.conf
- targerUri - Must be under [target-broker:deploymentServer] stanza. Specifies deployment server
- clientName – custom name that be used by DS in serverclass
- phoneHomeIntervalInSecs – how frequently the DS is checked for new content (default=60)
What is a serverclass?
- Maps groups of clients to deployment apps
- Clients can be grouped based on client name, host name, IP address, DNS name or machine types
- Defined in serverclass.conf
How do you create a serverclass?
- You can manually edit serverclass.conf or us Splunk Web
- Choose hosts to include (whitelist) and to exclude (blacklist)
- Assign one or two apps to the serverclass
How do you monitor forwarders?
• Forwarding monitoring can be enabled from monitoring console (recommended)
• Periodically, using internal logs from the forwarders, a forwarder asset table (lookup) is built
• We can monitor
o Forwarder state (active/missing)
o Data throughput (kb/s)
o Events throughput (events/s)
What is rebuilding the forwarder assets table and why is it used?
- Monitoring console will mark a forwarder as missing if it has not reported in the past 15 minutes
- To avoid decommissioned servers from being reported, you can rebuild the forwarder assets table
- This is a resource intensive process, so run it during off-peak hours
- Monitoring console > settings > forwarder monitoring setup > rebuild forwarder assets