I'm getting ready to roll out Universal Forwarder on about 200 Windows servers. What are my options if I wanted to upgrade the Universal Forwarder software at some point in the future? How can I change what type of information these servers can report (ie, add/remove different types of event logs)
I found documentation about deployment server, but it is extremely vague and I'm not sure this is the right tool for what I'm trying to do - "The deployment server is Splunk's tool for pushing out configurations, apps, and content updates to distributed Splunk instances. You can use it to push updates to any Splunk component: forwarder, indexer, or search head." What kind of updates? What kind of configurations? Not sure what this actually means without concrete examples of what it can do.
Other than that, I know there are scripted batch files that can be used with the Universal Forwarder. Is there any other way of remotely configuring what information the forwarders are able to send?