Install a Windows universal forwarder from a ZIP file
You can install the universal forwarder from a ZIP file that Splunk provides. To install with a GUI interface, see Install a Windows universal forwarder from an installer. To install with the installer from the command line, see Install a Windows universal forwarder from the command line.
When to install from a ZIP file
This installation method is useful when you want to do the following:
- Install more than one universal forwarder on a Windows machine
Limitations to installing the universal forwarder on Windows from a ZIP file
There are several caveats that exist to installing the Windows universal forwarder from a ZIP file.
- Splunk supports this method of installation on specific versions of Windows Server only. See the prerequisites later in this topic for the supported versions. It is not available on other versions of Windows Server, or on workstation-class versions of Windows (such as 7, 8, 8.1, or 10.)
- These instructions apply only to versions 6.5.0 and later of the universal forwarder ZIP file. They do not apply to ZIP files for earlier versions that might appear on the download page.
- The ZIP file is not publicly available. You must contact Support to get the file.
- The process of both installation and uninstallation is almost completely manual. For example, you must place the files in the installation directory, register driver files, edit configuration files, and start and stop services manually. Also, you cannot uninstall the program through the Control Panel.
- You must create the Splunk
admin
account prior to starting the forwarder. - You cannot cross-grade an installation of a ZIP file with an MSI file, or vice versa. You must use an updated ZIP file to upgrade.
- You must install the forwarder with a user that is a local administrator on the installation machine.
- If you install the forwarder to run as a user other than the Local System user, that user must also be a local administrator.
- You cannot enable "low privilege" mode with this installation method.
- Only one forwarder on a machine can monitor any of the network monitor, Registry monitor, or MonitorNoHandle inputs at a time. This means that, for example, if you have two forwarders on a machine and one monitors the Registry, the other cannot.
- If you install three forwarders on a machine, each can monitor one of these inputs simultaneously, as long as not more than one does.
Prerequisites to installing the universal forwarder on Windows
Before you install the Windows universal forwarder from a ZIP file, confirm that you have all of the following:
- An account with administrative privileges on the Windows machine that you want to install the forwarder.
- A Windows universal forwarder ZIP file.
- A Windows machine that runs 64-bit Windows Server 2008 R2 or Server 2012 R2.
Get the ZIP file from Splunk Support
The Windows universal forwarder ZIP file is not available for download on the Splunk website. To get the file, you must contact your Support representative who can provide a download link.
Choose the Windows user that the universal forwarder should run as
After you install the universal forwarder, you can configure it to run as the Local System user or as another Windows user that you specify by editing the user in the Services control panel.
The Local System user lets the universal forwarder collect any kind of data that is available on the local machine. It cannot collect data from other machines.
A Domain account lets the forwarder run as the Windows user you specify. The forwarder has the permissions that have been assigned to that user, and collects data from resources across the domain or forest that the user has read access to. It does not collect data from resources that the Windows user does not have access to. If you need to collect data from those resources, you must give the Windows user access to those resources.
Install the forwarder as a Domain account to do any of the following:
- Read Event Logs remotely
- Collect performance counters remotely
- Read network shares for log files
- Access the Active Directory schema, using Active Directory monitoring
You must determine and configure the user that the universal forwarder should run as before installing the forwarder for remote Windows data collection.
If you install as a domain user, specify a user that has access to the data you want to monitor. See Choose the Windows user Splunk should run as in the Splunk Enterprise Installation Manual for concepts and procedures on the user requirements that must be in place before you collect remote Windows data.
Configure your Windows environment for remote data collection
If your monitoring needs require that you install the universal forwarder to collect remote Windows data, then configure your Windows environment for the proper installation of the forwarder.
The configuration process includes adding or editing Active Directory security groups and granting the Windows universal forwarder user access to those groups. It can also include creating and updating Group Policy Objects (GPOs) to provide further security and access for the user.
For step-by-step instructions on how to modify your Windows network, domain, or Active Directory forest, see Prepare your Windows network for a Splunk Enterprise installation as a network or domain user in the Splunk Enterprise Installation Manual.
- Create and configure security groups with the user you want the universal forwarder to run as.
- (Optional) Configure the universal forwarder account as a managed service account.
- Create and configure Group Policy objects (GPOs) for security policy and user rights assignment.
- Assign appropriate user rights to the GPO.
- Deploy the GPOs with the updated settings to the appropriate objects.
Install the universal forwarder
This procedure assumes that no other forwarder has been installed on the Windows machine. If there are other forwarders that are present, see "Install additional forwarders" later in this topic.
Begin installing the forwarder
- Contact your Splunk Support representative to get the universal forward ZIP download link.
- Download the link to the machine that is to run the forwarder.
- Unpack the archive to a directory of your choosing.
- Open a PowerShell window or command prompt.
- Change to the
bin
directory where you unpacked the universal forwarder ZIP file.
Register Splunk monitoring input drivers
This part of the procedure is only required if you want to use the Registry monitor, the Network monitor, or the MonitorNoHandle
file monitoring input. These inputs have separate drivers that must be registered before they can be used with the universal forwarder instance. If you do not want to use these inputs, then proceed to the next section.
If you need to register Splunk monitoring drivers, confirm that you specify the commands exactly as shown. Errors in command syntax can severely damage your Windows installation. If you do not feel comfortable with the driver registration steps in this procedure, then install the universal forwarder with the installer.
- (Optional) Register the Splunk monitoring drivers that you need for the universal forwarder. The command line is as follows.
rundll32 SETUPAPI.dll,InstallHinfSection DefaultInstall 132 <full path to driver .inf file>
In this command,
<full path to driver .inf file>
is the path to the .inf file for the Splunk monitoring driver that you want to register. You must always specify the full path to confirm that the utility operates on the correct file.There are several drivers that are available for registering:
Splunkdrv.inf
, which handles the Registry Monitor input driver.Splknetdrv.inf
which handles the Network Monitor input driver.SplunkMonitorNoHandleDrv.inf
, which handles theMonitorNoHandle
driver.
All of these drivers are in the
%SPLUNK_HOME%\bin
directory. - (Optional) If you receive an error message that says "
Installation failed.
", then confirm that you have specified the correct path to the file and try the operation again.
Create the Splunk "admin" account and password with user-seed.conf
Before starting the forwarder for the first time, you must create the Splunk admin
account by editing user-seed.conf
. If you do not, the universal forwarder starts with no defined users, which means you cannot log into it and make changes.
See Create a secure administrator password in Securing Splunk for more information on how to create a secure password for the admin account.
- Open a PowerShell window or command prompt, if one is not already open.
- In the directory where you unpacked the universal forwarder files, change to the
/etc/system/local
directory. For example, if you unpacked the files toC:\Program Files\UF
, change to theC:\Program Files\UF\etc\system\local
directory. - Use a text editor like Notepad to create a file
user-seed.conf
for editing. - In this file, add the following block of text:
[user_info] USERNAME = admin PASSWORD = <new password>
- Substitute
<new password>
with a password of your choosing. The password must meet eligibility requirements (currently, it must be at least 8 characters in length.) - Save the
user-seed.conf
file and close it.
Complete the universal forwarder installation
- Enable the universal forwarder to start at boot time.
.\splunk enable boot-start
The universal forwarder responds with the following.
This appears to be your first time running this version of Splunk. Installing service SplunkForwarder Service installed Windows services installed. Windows services are configured to run at boot.
- (Optional) If you want the forwarder to run as a different user, complete the procedure shown in Correct the user selected during Windows installation in the Installation Manual.
- Start the universal forwarder.
.\splunk start
Install additional forwarders
After you have installed the first forwarder, you can install additional forwarders by changing the service name for the new instances.
Any forwarders that you previously installed on the machine should be running when you perform this installation. This forces the forwarder that you are installing to prompt you to choose a different network management port when it starts. Each universal forwarder must use its own network management port.
If a forwarder that is already on the system uses a monitoring input that requires a driver, then this instance cannot monitor the same type of input. For example, if a forwarder already monitors the Registry, then subsequent instances cannot monitor the Registry. This is the same for the Network monitoring or MonitorNoHandle
inputs.
Begin the universal forwarder installation
- Confirm that any existing universal forwarders on the machine are running.
- Contact your Splunk Support representative to get the universal forward ZIP download link.
- Download the link to the machine that is to run the forwarder.
- Unpack the archive to the installation directory.
If you already have a universal forwarder installed on the machine, do not unpack the ZIP file into the same directory.
- Open a PowerShell window.
- Change to the
etc
directory where you unpacked the universal forwarder ZIP file. - (Optional) Register any Splunk monitoring input drivers that you need for this installation, as specified in "Register Splunk monitoring input drivers" earlier in this topic.
Change name of universal forwarder services in splunk-launch.conf
- Use Notepad or another text editor to edit the
splunk-launch.conf
file. - In the
splunk-launch.conf
file, change theSPLUNK_SERVER_NAME
andSPLUNK_WEB_NAME
values to a new name that does not conflict with the existing service names.# Splunkd service name SPLUNK_SERVER_NAME=SplunkForwarder2 # Splunkweb service name SPLUNK_WEB_NAME=splunkweb2
- Save the file and exit the text editor.
Complete the universal forwarder installation
- Change to the
bin
directory. - Enable the universal forwarder to start at boot time, as you did previously.
.\splunk enable boot-start
The universal forwarder responds with the following.
This appears to be your first time running this version of Splunk. Installing service SplunkForwarder Service installed Windows services installed. Windows services are configured to run at boot.
- (Optional) If you want the forwarder to run as a different user, complete the procedure shown in Correct the user selected during Windows installation in the Installation Manual.
- Start the universal forwarder.
.\splunk start
- When the forwarder warns you that the management port is in use and prompts you to change it, enter
y
. - Specify a new management port number.
Install a Windows universal forwarder from the command line | Install a Windows universal forwarder remotely with a static configuration |
This documentation applies to the following versions of Splunk® Universal Forwarder: 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3
Feedback submitted, thanks!