puppet-splunk icon indicating copy to clipboard operation
puppet-splunk copied to clipboard

Published 20 hours ago verified publisher icon voxpupuli

Disable management of output.conf

Open dafydd2277 opened this issue 7 years ago • 1 comments

The Puppet code I'm working on and the desktop I'm writing this from are air-gapped. Please forgive any typos.

Affected Puppet, Ruby, OS and module versions/distributions

  • Puppet: Enterprise 2017.2
  • Ruby: Bundled
  • Distribution:
  • Module version: 7.3.0

How to reproduce (e.g Puppet code you use)

First, note specifically that I'm not using the optional server parameter in my class resource.

class { 'splunk::params':
  src_root => 'puppet:///modules/local_splunk',
  version  => $local_splunk::linux::forwarder_version,
  build    => $local_splunk::linux::forwarder_build,
}

and I'm using splunkforwarder_deploymentclient:

splunkforwarder_deploymentclient { 'deploymentServer':
  section => 'target-broker:deploymentServer',
  setting => 'targetUri',
  value   => "${local_splunk::server}.${local_splunk::domain}:${local_splunk::port}",
}

What are you seeing

I am not specifically configuring output.conf in any way, because I expect the Splunk deployment server to do that. However, this module insists on setting the following in output.conf:

[defaultGroup]
defaultGroup=splunk_9997

[tcpout:splunk_9997]
server=splunk:9997

It will ignore any other [tcpout:*] blocks, but it insists on maintaining [tcpout:splunk_9997] and it overrides defaultGroup if any other value is given. So, if the Splunk deployment server (which I do not control) has identified a specific output destination, out of several, for a particular Splunk agent to forward its logs to, that destination will be overridden by puppet/Splunk.

What behaviour did you expect instead

If the Type splunk*_deploymentconf is invoked, do not manipulate the content of any other file in ${splunk_base}/etc/system/local/, unless a resource entry is specifically made. Instead, assume the Splunk deployment server managing their content. Managing ownership and permissions should be fine, but managing content should be disabled in the absence of defined splunk*_<file> resource entries.

One possible solution would be to add a parameter to splunk::params that specifies whether the server parameter in that class should be set in output.conf or deploymentclient.conf. And, if the latter, stop managing the content of all other settings files.

dafydd2277 avatar Nov 06 '18 23:11 dafydd2277

while investigating a similar desire, I found that if you set

splunk::forwarder::forwarder_ouput

to an empty hash via hiera or class parameter, that outputs.conf does not get the default config based on splunk::params::server.

at which point you can use splunkforwarder_deploymentclient or splunkforwarder_ouput manually however you'd like.

hope it helps.

cqwense avatar Mar 28 '19 14:03 cqwense