Skip to content

Splunk Workaround: Push a *nix TA from a Windows Deployment Server (DS)

Published by Mike Leidner on June 16, 2021

Per the Operating system compatibility section of the follow doc https://docs.splunk.com/Documentation/Splunk/latest/Updating/Planadeployment Windows Deployment Servers cannot manage Linux deployment clients because Windows does not understand how to maintain Linux file permissions for scripts and executables. So when you push a TA that has an executable or script to a Linux deployment client, you will receive “Permission denied”.

The best solution is to switch your deployment server to Linux, but if you don’t have the ability to do that, read on.

Follow these steps to workaround the issue.

  1. Download the Linux TA that you want to push and extract it on any Linux machine.
  2. Make any required changes to the app: for example, add your <app>/local/inputs.conf file with whatever changes you want to implement.
  3. Repackage the tgz file WITHOUT the parent directory. For example, if you are repackaging Splunk_TA_nix, you would navigate into Splunk_TA_nix and create your tgz file with your local, default, bin, etc. folders all at the top level of the tgz file.
    tar cvfz <newname.tgz> *
  4. Move the repackaged app to your Windows deployment server and place it under $SPLUNK_HOME/etc/deployment-apps
  5. Backup your serverclass.conf file on your Windows deployment server. If you’ve been managing your Forwarder Management through the web UI, it will typically be located in $SPLUNK_HOME/etc/system/local/serverclass.conf
  6. Edit serverclass.conf to include the following setting under your (third level) app stanza:

appFile = <YourModifiedApp>.tgz

Reference: https://docs.splunk.com/Documentation/Splunk/latest/Admin/Serverclassconf

Also verify that your (second level) serverClass stanza looks correct for whitelist/blacklist, etc.

7. Restart Splunk on your DS (might not be necessary)

That’s it! When the deployment client phones home, the Windows DS should provide the tgz file with all the Linux file permissions intact.

Verification steps:

  • Search splunkd.log on your DS for the name of your custom tgz app that you created. It should indicate that the app loaded successfully.
  • On your search head, run a search for something like this:
    index=_internal host=<linuxforwarder> Splunk_TA_nix

Where Splunk_TA_nix would be a keyword for whichever app you were having problems with. In my case, we were trying to get the rlog.sh script that comes with the Splunk_TA_nix app to work but it kept erroring out with Permission Denied. So I used “rlog” as my search keyword. I already verified that the Splunk Forwarder service on the Linux host was running as root, so after we did this workaround, it executed as expected.

Published intech