Make a universal forwarder part of a host image
You can deploy a universal forwarder as part of a host image or virtual machine. This is particularly useful if you have a large number of universal forwarders to deploy. If you have just a few, you might find it simpler to install them manually, as described for Windows and nix hosts.
Steps to deployment
Once you have downloaded the universal forwarder and have planned your deployment, perform these steps:
1. Install the universal forwarder on a test machine.
2. Perform any post-installation configuration.
3. Test and tune the deployment.
4. Install the universal forwarder with the tested configuration onto a source machine.
5. Stop the universal forwarder.
6. Run this CLI command on the forwarder:
This clears instance-specific information, such as the server name and GUID, from the forwarder. This information will then be configured on each cloned forwarder at initial start-up.
7. Prepare your image or virtual machine, as necessary, for cloning.
8. On *nix systems, set the splunkd daemon to start on boot using cron or your scheduling system of choice. On Windows, set the service to
Automatic but do not start it.
9. Distribute the system image or virtual machine clones to machines across your environment and start them.
10. Confirm that forwarders have connected to the indexers you specified during forwarder setup.
Steps in the above deployment procedure reference these subtopics.
Install the universal forwarder
Install the universal forwarder using the procedure specific to your operating system:
- To install on a *nix host, see Install a nix universal forwarder.
- For a Windows host, you can use the installer or the command line interface. To install with an installer, see Install a Windows universal forwarder from an installer. For information on the command line interface, see Install a Windows universal forwarder from the command line.
If you do not want the universal forwarder to start on a Windows host after installation, install from the command line . Using the proper command line flags, you can configure the universal forwarder so that it does not start on the source machine when installed but does start automatically on the clones, once they're activated.
At the time of installation, you can also configure the universal forwarder. See Configure the universal forwarder.
Perform additional configuration
You can update your universal forwarder's configuration, post-installation, by directly editing its configuration files, such as
outputs.conf. See Configure the universal forwarder.
For information on distributing configuration changes across multiple universal forwarders, see "About deployment server" in the Updating Splunk Enterprise Instances manual.
Test the deployment
Test your configured universal forwarder on a single machine, to make sure it functions correctly, before deploying the universal forwarder across your environment. When testing the deployment, ask these questions:
1. Do the data inputs that you configured in the forwarder collect the data you want?
If they don't:
- Check the inputs.conf on the forwarder and confirm that the input stanzas are correct. For example, if you want to configure monitoring a file, confirm that the inputs.conf on the forwarder references that file.
- Confirm that the stanza that references the file is not disabled (look for 'disabled = 1' in the stanza.)
2. Does the forwarder send the data you expect to the place you expect it?
If it doesn't:
- Confirm that the outputs.conf on the forwarder has been correctly configured. The outputs.conf file should reference a receiving indexer that the forwarder can access over the network via a host name or IP address and port that you specify.
- Confirm that no firewall blocks network traffic on the ports you specify on both the forwarder and receiver.
- Confirm that the ports you specify on the forwarder and receiver are the same, as they must be for forwarding to occur. For example, if you specify port 9997 as the receiving port on the indexer, you must specify this same port as the target in the outputs.conf configuration on the forwarder.
- Use the Search page on the receiving indexer to confirm that you see events that you configured on the forwarder.
Install a *nix universal forwarder remotely with a static configuration
Deploy and run a universal forwarder inside a Docker container
This documentation applies to the following versions of Splunk® Universal Forwarder: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.3.0