Hi
A while ago I asked a question -
https://answers.splunk.com/answers/525239/is-there-a-way-to-retrieve-universal-forwarder-con.html#answer-525378
about retrieving Splunk Universal Forwarder configurations from Windows servers for auditing purposes. Specifically, I wanted to retrieve the contents of the inputs.conf and outputs.conf files to ensure that the correct logs were being tailed, and that the digest was being sent to the right place. But I didn't want to be retrieving the files themselves because they're Windows servers and to do that securely on production servers owned by other groups would be a nightmare (especially since I'm not much of a Windows expert).
The solution that came back made perfect sense to me. The Universal Forwarder has a REST API and the information I'm looking for can be retrieved using that.
Unfortunately, the group within my organisation which deploys the Splunk Universal Forwarders declined to enable this API on the grounds that it will only authenticate one user account - admin. It isn't possible to create users and assign roles or permissions. Once authenticated, that admin user can make any changes to the configuration allowed by the API. So I can also understand their position.
But that means I'm back to square one. I still don't want to try retrieving the inputs.conf and outputs.conf files directly as files from those servers, but it occurred to me that the information might be stored in the registry. Does anyone know if this is possible, and where in the registry this information would be stored? Or is there another solution I don't know about? Is there a Splunk Universal Forwarder SNMP MIB for example?
All help gratefully received ...
↧