Splunk® Universal Forwarder

Forwarder Manual

This documentation does not apply to the most recent version of Splunk® Universal Forwarder. For documentation on the most recent version, go to the latest release.

Install a Windows universal forwarder from a ZIP file

You can install the universal forwarder from a ZIP file that Splunk provides. To install with a GUI interface, see Install a Windows universal forwarder from an installer. To install with the installer from the command line, see Install a Windows universal forwarder from the command line.

When to install from a ZIP file

This installation method is useful when you want to do the following:

  • Install more than one universal forwarder on a Windows machine

Limitations to installing the universal forwarder on Windows from a ZIP file

There are several caveats that exist to installing the Windows universal forwarder from a ZIP file.

  • Splunk supports this method of installation on specific versions of Windows Server only. See the prerequisites later in this topic for the supported versions. It is not available on other versions of Windows Server, or on workstation-class versions of Windows (such as 7, 8, 8.1, or 10.)
  • These instructions apply only to versions 6.5.0 and later of the universal forwarder ZIP file. They do not apply to ZIP files for earlier versions that might appear on the download page.
  • The ZIP file is not publicly available. You must contact Support to get the file.
  • The process of both installation and uninstallation is almost completely manual. For example, you must place the files in the installation directory, register driver files, edit configuration files, and start and stop services manually. Also, you cannot uninstall the program through the Control Panel.
  • You must create the Splunk admin account prior to starting the forwarder.
  • You cannot cross-grade an installation of a ZIP file with an MSI file, or vice versa. You must use an updated ZIP file to upgrade.
  • You must install the forwarder with a user that is a local administrator on the installation machine.
  • If you install the forwarder to run as a user other than the Local System user, that user must also be a local administrator.
  • You cannot enable "low privilege" mode with this installation method.
  • Only one forwarder on a machine can monitor any of the network monitor, Registry monitor, or MonitorNoHandle inputs at a time. This means that, for example, if you have two forwarders on a machine and one monitors the Registry, the other cannot.
    • If you install three forwarders on a machine, each can monitor one of these inputs simultaneously, as long as not more than one does.

Prerequisites to installing the universal forwarder on Windows

Before you install the Windows universal forwarder from a ZIP file, confirm that you have all of the following:

  • An account with administrative privileges on the Windows machine that you want to install the forwarder.
  • A Windows universal forwarder ZIP file.
  • A Windows machine that runs 64-bit Windows Server 2008 R2 or Server 2012 R2.

Get the ZIP file from Splunk Support

The Windows universal forwarder ZIP file is not available for download on the Splunk website. To get the file, you must contact your Support representative who can provide a download link.

Choose the Windows user that the universal forwarder should run as

After you install the universal forwarder, you can configure it to run as the Local System user or as another Windows user that you specify by editing the user in the Services control panel.

The Local System user lets the universal forwarder collect any kind of data that is available on the local machine. It cannot collect data from other machines.

A Domain account lets the forwarder run as the Windows user you specify. The forwarder has the permissions that have been assigned to that user, and collects data from resources across the domain or forest that the user has read access to. It does not collect data from resources that the Windows user does not have access to. If you need to collect data from those resources, you must give the Windows user access to those resources.

Install the forwarder as a Domain account to do any of the following:

  • Read Event Logs remotely
  • Collect performance counters remotely
  • Read network shares for log files
  • Access the Active Directory schema, using Active Directory monitoring

You must determine and configure the user that the universal forwarder should run as before installing the forwarder for remote Windows data collection.

If you install as a domain user, specify a user that has access to the data you want to monitor. See Choose the Windows user Splunk should run as in the Splunk Enterprise Installation Manual for concepts and procedures on the user requirements that must be in place before you collect remote Windows data.

Configure your Windows environment for remote data collection

If your monitoring needs require that you install the universal forwarder to collect remote Windows data, then configure your Windows environment for the proper installation of the forwarder.

The configuration process includes adding or editing Active Directory security groups and granting the Windows universal forwarder user access to those groups. It can also include creating and updating Group Policy Objects (GPOs) to provide further security and access for the user.

For step-by-step instructions on how to modify your Windows network, domain, or Active Directory forest, see Prepare your Windows network for a Splunk Enterprise installation as a network or domain user in the Splunk Enterprise Installation Manual.

  1. Create and configure security groups with the user you want the universal forwarder to run as.
  2. (Optional) Configure the universal forwarder account as a managed service account.
  3. Create and configure Group Policy objects (GPOs) for security policy and user rights assignment.
  4. Assign appropriate user rights to the GPO.
  5. Deploy the GPOs with the updated settings to the appropriate objects.

Install the universal forwarder

This procedure assumes that no other forwarder has been installed on the Windows machine. If there are other forwarders that are present, see "Install additional forwarders" later in this topic.

Begin installing the forwarder

  1. Contact your Splunk Support representative to get the universal forward ZIP download link.
  2. Download the link to the machine that is to run the forwarder.
  3. Unpack the archive to a directory of your choosing.
  4. Open a PowerShell window or command prompt.
  5. Change to the bin directory where you unpacked the universal forwarder ZIP file.

Register Splunk monitoring input drivers

This part of the procedure is only required if you want to use the Registry monitor, the Network monitor, or the MonitorNoHandle file monitoring input. These inputs have separate drivers that must be registered before they can be used with the universal forwarder instance. If you do not want to use these inputs, then proceed to the next section.

If you need to register Splunk monitoring drivers, confirm that you specify the commands exactly as shown. Errors in command syntax can severely damage your Windows installation. If you do not feel comfortable with the driver registration steps in this procedure, then install the universal forwarder with the installer.

  • (Optional) Register the Splunk monitoring drivers that you need for the universal forwarder. The command line is as follows.
    rundll32 SETUPAPI.dll,InstallHinfSection DefaultInstall 132 <full path to driver .inf file>

    In this command, <full path to driver .inf file> is the path to the .inf file for the Splunk monitoring driver that you want to register. You must always specify the full path to confirm that the utility operates on the correct file.

    There are several drivers that are available for registering:

    • Splunkdrv.inf, which handles the Registry Monitor input driver.
    • Splknetdrv.inf which handles the Network Monitor input driver.
    • SplunkMonitorNoHandleDrv.inf, which handles the MonitorNoHandle driver.

    All of these drivers are in the %SPLUNK_HOME%\bin directory.

  • (Optional) If you receive an error message that says "Installation failed.", then confirm that you have specified the correct path to the file and try the operation again.

Create the Splunk "admin" account and password with user-seed.conf

Before starting the forwarder for the first time, you must create the Splunk admin account by editing user-seed.conf. If you do not, the universal forwarder starts with no defined users, which means you cannot log into it and make changes.

See Create a secure administrator password in Securing Splunk for more information on how to create a secure password for the admin account.

  1. Open a PowerShell window or command prompt, if one is not already open.
  2. In the directory where you unpacked the universal forwarder files, change to the /etc/system/local directory. For example, if you unpacked the files to C:\Program Files\UF, change to the C:\Program Files\UF\etc\system\local directory.
  3. Use a text editor like Notepad to create a file user-seed.conf for editing.
  4. In this file, add the following block of text:
    [user_info]
USERNAME = admin
PASSWORD = <new password>
  5. Substitute <new password> with a password of your choosing. The password must meet eligibility requirements (currently, it must be at least 8 characters in length.)
  6. Save the user-seed.conf file and close it.

Complete the universal forwarder installation

  1. Enable the universal forwarder to start at boot time.
    .\splunk enable boot-start

    The universal forwarder responds with the following.

    This appears to be your first time running this version of Splunk.
Installing service SplunkForwarder
Service installed
Windows services installed.
Windows services are configured to run at boot.
  2. (Optional) If you want the forwarder to run as a different user, complete the procedure shown in Correct the user selected during Windows installation in the Installation Manual.
  3. Start the universal forwarder.
    .\splunk start

Install additional forwarders

After you have installed the first forwarder, you can install additional forwarders by changing the service name for the new instances.

Any forwarders that you previously installed on the machine should be running when you perform this installation. This forces the forwarder that you are installing to prompt you to choose a different network management port when it starts. Each universal forwarder must use its own network management port.

If a forwarder that is already on the system uses a monitoring input that requires a driver, then this instance cannot monitor the same type of input. For example, if a forwarder already monitors the Registry, then subsequent instances cannot monitor the Registry. This is the same for the Network monitoring or MonitorNoHandle inputs.

Begin the universal forwarder installation

  1. Confirm that any existing universal forwarders on the machine are running.
  2. Contact your Splunk Support representative to get the universal forward ZIP download link.
  3. Download the link to the machine that is to run the forwarder.
  4. Unpack the archive to the installation directory.

    If you already have a universal forwarder installed on the machine, do not unpack the ZIP file into the same directory.

  5. Open a PowerShell window.
  6. Change to the etc directory where you unpacked the universal forwarder ZIP file.
  7. (Optional) Register any Splunk monitoring input drivers that you need for this installation, as specified in "Register Splunk monitoring input drivers" earlier in this topic.

Change name of universal forwarder services in splunk-launch.conf

  1. Use Notepad or another text editor to edit the splunk-launch.conf file.
  2. In the splunk-launch.conf file, change the SPLUNK_SERVER_NAME and SPLUNK_WEB_NAME values to a new name that does not conflict with the existing service names. 
    # Splunkd service name
SPLUNK_SERVER_NAME=SplunkForwarder2

# Splunkweb service name
SPLUNK_WEB_NAME=splunkweb2
  3. Save the file and exit the text editor.

Complete the universal forwarder installation

  1. Change to the bin directory.
  2. Enable the universal forwarder to start at boot time, as you did previously.
    .\splunk enable boot-start

    The universal forwarder responds with the following.

    This appears to be your first time running this version of Splunk.
Installing service SplunkForwarder
Service installed
Windows services installed.
Windows services are configured to run at boot.
  3. (Optional) If you want the forwarder to run as a different user, complete the procedure shown in Correct the user selected during Windows installation in the Installation Manual.
  4. Start the universal forwarder.
    .\splunk start
  5. When the forwarder warns you that the management port is in use and prompts you to change it, enter y.
  6. Specify a new management port number.
Last modified on 01 December, 2021
Install a Windows universal forwarder from the command line   Install a Windows universal forwarder remotely with a static configuration

This documentation applies to the following versions of Splunk® Universal Forwarder: 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters