search

voxpupuli / puppet-splunk

Manage Splunk servers and forwarders using Puppet
https://forge.puppet.com/puppet/splunk
Apache License 2.0
41 stars 123 forks source link

Disable management of output.conf #208

Open dafydd2277 opened 6 years ago

dafydd2277 commented 6 years ago

The Puppet code I'm working on and the desktop I'm writing this from are air-gapped. Please forgive any typos.

Affected Puppet, Ruby, OS and module versions/distributions

How to reproduce (e.g Puppet code you use)

First, note specifically that I'm not using the optional server parameter in my class resource.

class { 'splunk::params':
  src_root => 'puppet:///modules/local_splunk',
  version  => $local_splunk::linux::forwarder_version,
  build    => $local_splunk::linux::forwarder_build,
}

and I'm using splunkforwarder_deploymentclient:

splunkforwarder_deploymentclient { 'deploymentServer':
  section => 'target-broker:deploymentServer',
  setting => 'targetUri',
  value   => "${local_splunk::server}.${local_splunk::domain}:${local_splunk::port}",
}

What are you seeing

I am not specifically configuring output.conf in any way, because I expect the Splunk deployment server to do that. However, this module insists on setting the following in output.conf:

[defaultGroup]
defaultGroup=splunk_9997

[tcpout:splunk_9997]
server=splunk:9997

It will ignore any other [tcpout:*] blocks, but it insists on maintaining [tcpout:splunk_9997] and it overrides defaultGroup if any other value is given. So, if the Splunk deployment server (which I do not control) has identified a specific output destination, out of several, for a particular Splunk agent to forward its logs to, that destination will be overridden by puppet/Splunk.

What behaviour did you expect instead

If the Type splunk*_deploymentconf is invoked, do not manipulate the content of any other file in ${splunk_base}/etc/system/local/, unless a resource entry is specifically made. Instead, assume the Splunk deployment server managing their content. Managing ownership and permissions should be fine, but managing content should be disabled in the absence of defined splunk*_<file> resource entries.

One possible solution would be to add a parameter to splunk::params that specifies whether the server parameter in that class should be set in output.conf or deploymentclient.conf. And, if the latter, stop managing the content of all other settings files.

cqwense commented 5 years ago

while investigating a similar desire, I found that if you set

splunk::forwarder::forwarder_ouput

to an empty hash via hiera or class parameter, that outputs.conf does not get the default config based on splunk::params::server.

at which point you can use splunkforwarder_deploymentclient or splunkforwarder_ouput manually however you'd like.

hope it helps.