Splunk® Universal Forwarder

Forwarder Manual

Download manual as PDF

This documentation does not apply to the most recent version of Forwarder. Click here for the latest version.
Download topic as PDF

Install a Windows universal forwarder from the command line

You can install the universal forwarder on a Windows machine from a command prompt or a PowerShell window. To install the software with a GUI installer, see Install a Windows universal forwarder with the installer.

When to install from the command line?

Here are some scenarios where installing from the command line is useful:

  • You want to install the forwarder, but do not want to start it right away.
  • You want to automate installation of the forwarder with a script.
  • You want to install the forwarder on a machine that you will clone to other machines later.
  • You want to use a deployment tool such as Group Policy or System Center Configuration Manager.
  • You run a version of Windows Server Core.

Under some circumstances, the Microsoft installer might present a reboot prompt during the uninstall process. You can safely ignore this request without rebooting.

Prerequisites for installing the universal forwarder

Choose the Windows user the universal forwarder should run as

When you install the universal forwarder, you can select the user it should run as. By default, the forwarder installs as the Local System user. To specify a domain account to run the forwarder as, specify the LOGON_USERNAME and LOGON_PASSWORD flags in the installation command.

You can also install the forwarder as a user who is not an administrator on the local machine. Use the SET_ADMIN_USER installation flag to install the forwarder in "low privilege" mode.

If you install the forwarder as the Local System user, the forwarder can collect any kind of data that is available on the local machine. It cannot collect data from other machines. This is by design.

You must give the universal forwarder a user account if you intend to do any of the following:

  • Read Event Logs remotely
  • Collect performance counters remotely
  • Read network shares for log files
  • Enumerate the Active Directory schema, using Active Directory monitoring

See Choose the Windows user Splunk should run as in the Splunk Enterprise Installation Manual for concepts and procedures on the user requirements for collecting remote Windows data.

Configure your Windows environment prior to installation

The following steps are high-level. For step-by-step instructions, see Prepare your Windows network for a Splunk Enterprise installation as a network or domain user in the Splunk Enterprise Installation Manual.

  1. Create a security group for the user that you want to run the universal forwarder as.
  2. Add the user you want the universal forwarder to run as to this group.
  3. (Optional) Set up the universal forwarder user as a managed service account.
  4. Use the Group Policy Management Console to create and configure Group Policy or Local Security Policy objects for user rights assignments.
  5. Use the Group Policy Management Console to assign appropriate security rights to the universal forwarder user.
  6. If you use Active Directory, deploy the Group Policy objects with the updated settings.

Install the universal forwarder

You can install the forwarder with flags to prevent the installer from asking some questions, or you can specify the /quiet argument and set the AGREETOLICENSE flag for a completely silent installation.

For examples on how to install the universal forwarder from the command line, see "Examples" below.

Install the universal forwarder with installation flags

This method of installation acts like the method that is explained in Install the Windows universal forwarder from an installer, but does not ask some questions during the installation process, depending on the installation flags that you specify.

  1. Review the supported command line flags table to determine the flags you need to accomplish your command line installation task.
  2. From a command prompt or PowerShell window, run the msiexec.exe installer program with the appropriate flags, using the following syntax:
    msiexec.exe /i splunkuniversalforwarder.msi [<flag>=<value>]...[<flagN>=<value>]
    
  3. Follow the prompts on screen to complete the installation. Panes for flags that you have specified in the command line will not appear.

Install the universal forwarder silently

If your system has User Account Control (UAC) enabled, you must run a silent installation as an Administrator.

  1. Review the supported command line flags table to determine the flags you need to accomplish the command-line installation task.
  2. From a command prompt or PowerShell window, run msiexec.exe with the appropriate flags and add AGREETOLICENSE=yes /quiet to the end of the command string, as follows:
    msiexec.exe /i splunkuniversalforwarder.msi [<flag>=<value>]...[<flagN>=<value>] AGREETOLICENSE=yes /quiet
    

The installation completes silently if there is no error and the universal forwarder starts.

Install the universal forwarder in low-privilege mode

When you install the universal forwarder in low privilege mode, the user that you specify does not need to have administrative level privileges to run the forwarder software on the host.

There are some caveats to running the forwarder in low-privilege mode:

  • You do not have administrative access to any resources on either the host or the domain when you run the universal forwarder in low-privilege mode.
  • You might need to add the domain user to additional domain groups in order to access remote resources. Additionally, you might need to add the user to local groups to access local resources that only privileged users would have access to.
  • You cannot collect Windows Management Instrumentation (WMI) data as a non-admin user.
  1. Review the supported command line flags table to determine the flags you need to accomplish the command-line installation task.
  2. From a command prompt or PowerShell window, run msiexec.exe with the appropriate flags and add LOGON_USERNAME = <username> LOGON_PASSWORD = <password> SET_ADMIN_USER = 0 to the end of the command string.
    msiexec.exe /i splunkuniversalforwarder.msi [<flag>=<value>]...[<flagN>=<value>] LOGON_USERNAME=<username> LOGON_PASSWORD=<password> SET_ADMIN_USER=0
    
  3. (Optional) If you want to perform a silent installation, append AGREETOLICENSE=yes /quiet to the end of the command line string.
    msiexec.exe /i splunkuniversalforwarder.msi [<flag>=<value>]...[<flagN>=<value>] LOGON_USERNAME=<username> LOGON_PASSWORD=<password> SET_ADMIN_USER=0 AGREETOLICENSE=yes /quiet
    
  4. Follow the prompts on screen to complete the installation. Installer configuration panes for flags that you have specified in the command line do not appear.

The forwarder installs and runs in "low-privilege" mode.

Install the universal forwarder and enable verbose logging during installation

For more information on the msiexec logging command, see To set logging level on MS TechNet.

  1. Review the supported command line flags table to determine the flags you need to accomplish your command-line installation task.
  2. From a command prompt or PowerShell window, run the msiexec.exe installer program with the appropriate flags, using the following syntax:
    msiexec.exe /i splunkuniversalforwarder.msi [<flag>=<value>]...[<flagN>=<value>] /L*v logfile.txt
    
  3. Follow the prompts on screen to complete the installation. Installer configuration panes for flags that you have specified in the command line do not appear.

Supported command line flags

Command-line flags let you configure your forwarder at installation time. Using command-line flags, you can specify a number of settings, including:

  • The user the universal forwarder runs as. (When you specify this flag, confirm the user you specify has the appropriate permissions to access the content you want to forward.)
  • Whether or not the forwarder runs in "low-privilege" mode - as a user who does not have local administrative access.
  • The receiving Splunk instance that the universal forwarder will send data to.
  • A deployment server for updating the configuration.
  • The Windows event logs to index.
  • Whether the universal forwarder should start automatically when the installation is completed.

The following list shows the flags available and provide a few examples of various configurations.

Note: The installer for the full version of Splunk Enterprise has its own set of installation flags. For information on the full Splunk installer, see Install on Windows in the Splunk Enterprise Installation Manual.

Flag Purpose Default
AGREETOLICENSE=Yes|No Agrees to the license. You must set this flag to Yes to perform a silent installation. The flag does not work when you click the MSI to start installation. No
INSTALLDIR="<directory_path>" Specifies the installation directory.

Do not install the universal forwarder over an existing installation of full Splunk Enterprise.

c:\Program Files\SplunkUniversalForwarder
LOGON_USERNAME="<domain\username>"

LOGON_PASSWORD="<pass>"

Provide domain\username and password information for the user to run the SplunkForwarder service. Specify the domain with the username in the format: domain\username. If you don't include these flags, the universal forwarder installs as the Local System user. n/a
RECEIVING_INDEXER="<host:port>" (Optional) Specify the receiving indexer to which the universal forwarder will forward data. Enter the name (host name or IP address) and receiving port of the receiver. This flag accepts only a single receiver. To specify multiple receivers (to implement load balancing), configure this setting through the CLI or outputs.conf.

Note: If you do not specify this flag and also do not specify DEPLOYMENT_SERVER, the universal forwarder cannot determine which indexer to forward to.

n/a
DEPLOYMENT_SERVER="<host:port>" Specify a deployment server for pushing configuration updates to the universal forwarder. Enter the deployment server name (hostname or IP address) and port.

Note: If you do not specify this flag and also do not specify RECEIVING_INDEXER, the universal forwarder cannot determine which indexer to forward to.

n/a
LAUNCHSPLUNK=1|0 Specify whether the universal forwarder should start when the installation finishes. 1 (yes)
SERVICESTARTTYPE=auto|manual Specify whether the universal forwarder should start when the system reboots.

Note: By setting LAUNCHSPLUNK to 0 and SERVICESTARTTYPE to auto, you will cause the universal forwarder to not start forwarding until the next system boot. This is useful when you want to clone a system image.

auto
MONITOR_PATH="<directory_path>" Specify a file or directory to monitor. n/a



WINEVENTLOG_APP_ENABLE=1|0

WINEVENTLOG_SEC_ENABLE=1|0

WINEVENTLOG_SYS_ENABLE=1|0

WINEVENTLOG_FWD_ENABLE=1|0

WINEVENTLOG_SET_ENABLE=1|0

Enable these Windows event logs.

application

security

system

forwarders

setup

You can specify more than one of these flags in a command.

0 (no)
PERFMON=<input_type>,<input_type>,... Enable Performance Monitor inputs. <input_type> can be any of these:

cpu memory network diskspace

n/a
ENABLEADMON=1|0 Enable Active Directory monitoring for a remote deployment. 0 (not enabled)


CERTFILE=<c:\path\to\certfile.pem>

ROOTCACERTFILE=<c:\path\to\rootcacertfile.pem>

CERTPASSWORD=<password>

Supply SSL certificates:

Path to the cert file that contains the public/private key pair.

Path to the file that contains the Root CA cert for verifying CERTFILE is legitimate (optional).

Password for private key of CERTFILE (optional).

Note: You must set RECEIVING_INDEXER for these flags to have any effect.

n/a
CLONEPREP=1|0 Delete any instance-specific data in preparation for creating a clone of a machine. This invokes the splunk clone-prep command from the CLI. 0 (do not prepare the instance for cloning.)
SET_ADMIN_USER=1|0 Specifiy if the user you specify is an administrator. If you set this flag to 0, the universal forwarder runs in "low-privilege" mode as a user without administrator privileges on the local machine. This mode is available for customers that cannot run programs as an administrator on servers.

You must set both the LOGON_USERNAME and LOGON_PASSWORD flags when you set this flag.

1 (Install the universal forwarder as a user with administrative privileges. The universal forwarder runs in normal mode and not "low-privilege" mode.)

Examples

Install the universal forwarder to run as the Local System user and request configuration from deploymentserver1

You might do this for new deployments of the forwarder.

msiexec.exe /i splunkuniversalforwarder_x86.msi DEPLOYMENT_SERVER="deploymentserver1:8089" AGREETOLICENSE=Yes /quiet

Install the universal forwarder to run as a domain user, but do not launch it immediately

You might do this when preparing a sample host for cloning.

msiexec.exe /i splunkuniversalforwarder_x86.msi LOGON_USERNAME="AD\splunk" LOGON_PASSWORD="splunk123" DEPLOYMENT_SERVER="deploymentserver1:8089" LAUNCHSPLUNK=0 AGREETOLICENSE=Yes /quiet

Install the universal forwarder, enable indexing of the Windows security and system event logs, and run the installer in silent mode

You might do this to collect just the Security and System event logs through a silent installation.

msiexec.exe /i splunkuniversalforwarder_x86.msi RECEIVING_INDEXER="indexer1:9997" WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 AGREETOLICENSE=Yes /quiet

Install the universal forwarder in low-privilege mode and enable verbose installation logging to a log file

You might do this when you need to run the forwarder as a user who does not have administrative privileges on the local server.

msiexec.exe /i splunkuniversalforwarder_x64.msi /l*v install_splunkforwarder-6.1-201357-x64-release.msi.log LOGON_USERNAME=adtest1\lowpriv-testuser LOGON_PASSWORD=win1@splunk 
AGREETOLICENSE=Yes SET_ADMIN_USER=0 /quiet
PREVIOUS
Install a Windows universal forwarder from an installer
  NEXT
Install a Windows universal forwarder from a ZIP file

This documentation applies to the following versions of Splunk® Universal Forwarder: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11


Comments

We found that the INSTALLDIR flag did not work when automating the install for Splunk Universal Forwarder 7.0.1. TARGETDIR should be used in it's place.

Michaelhalsey7486
December 21, 2017

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters