# Distributed Deployment Manual

Use the forwarder to create deployment topologies
Deploy the universal forwarder
Deploy heavy and light forwarders

# Remotely deploy a Windows universal forwarder with a static configuration

You typically deploy the universal forwarder with a static configuration for one of these reasons:

• You don't need to change the configuration later - "fire-and-forget".
• You'll be making any post-installation changes with a non-Splunk deployment tool such as System Center Configuration Manager, Altris, or BigFix/Tivoli.

For this type of deployment, you install via the Windows commandline interface. During installation, you must specify all configuration options and use silent mode (/quiet). See "Deploy a Windows universal forwarder via the commandline" for information on the commandline interface, including a list of supported flags.

## Steps to deployment

Once you have downloaded the universal forwarder and have planned your deployment, as described in "Deployment overview", perform these steps:

1. Install and configure the universal forwarder on a test machine, using the commandline interface with the desired flags.

2. Test and tune the deployment.

3. Load the universal forwarder MSI into your deployment tool, specifying the tested flags.

4. Execute deployment with your deployment tool.

5. Use the deployment monitor to verify that the universal forwarders are functioning.

## Required installation flags

Besides specifying /quiet mode, you must include, at a minimum, these commandline flags:

• AGREETOLICENSE=Yes
• RECEIVING_INDEXER="<server:port>"
• At least one data input flag, such as WINEVENTLOG_APP_ENABLE=1. You can add as many data input flags as you need.

See "Deploy a Windows universal forwarder via the commandline" for a list of all available commandline flags.

## Example installation

This example sets the universal forwarder to run as Local System user, get inputs from Windows security and system event logs, send data to indexer1, and launch automatically:

msiexec.exe /i splunkuniversalforwarder_x86.msi RECEIVING_INDEXER="indexer1:9997" WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 AGREETOLICENSE=Yes /quiet


## Deploy with a secure configuration

To deploy a secure configuration, you can specify an SSL certifcate. Use these installation flags:

• CERTFILE=<c:\path\to\certfile.pem>
• ROOTCACERTFILE=<c:\path\to\rootcacertfile.pem>
• CERTPASSWORD=<password>

## Test the deployment

Test your configured universal forwarder on a single machine, to make sure it functions correctly, before deploying the universal forwarder across your environment. Confirm that the universal forwarder is getting the desired inputs and sending the right outputs to the indexer. You can use the deployment monitor to validate the universal forwarder.

This documentation applies to the following versions of Splunk: 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 , 5.0 , 5.0.1 , 5.0.2 View the Article History for its revisions.

Hi Gekoner,

In this context, the RECEIVING_INDEXER flag is required at a minimum, because if it is not specified, then the forwarder does not know where it should send data.

I will update the topic to note this clarification.

Malmoore
September 23, 2011

RECEIVING_INDEXER="" is NOT a required flag. It is optional in 4.2.

Gekoner
September 19, 2011