Splunk® Universal Forwarder

Forwarder Manual

# Install a Windows universal forwarder remotely with a static configuration

You can install a universal forwarder remotely onto a Windows host with a static configuration.

There are several scenarios where you would install a universal forwarder with a static configuration:

• You don't need to change the configuration later.
• You will make any post-installation changes with a non-Splunk deployment tool such as System Center Configuration Manager, Altris, or BigFix/Tivoli.

For this type of installation, install the universal forwarder from the command line. Specify all configuration options and use silent mode (/quiet). See Install a Windows universal forwarder from the command line for instructions and a list of installation flags that the installer supports.

## Install the universal forwarder with a static configuration

1. Install and configure the universal forwarder on a test machine, using the command line interface and the flags you want.
2. Test and tune the installation.
3. Load the universal forwarder MSI file into your software deployment tool.
4. Specify the tested flags with your deployment tool.
5. Execute installation with your deployment tool.

## Required installation flags

When you install a universal forwarder with a static configuration, specify the /quiet flag and a minimum of the following flags:

• AGREETOLICENSE=Yes
• SPLUNKPASSWORD=<password for 'admin' user that you create>
• RECEIVING_INDEXER="<server:port>"

If you do not plan to install an add-on into the forwarder, you also must include at least one data input flag, such as WINEVENTLOG_APP_ENABLE=1. See Install a Windows universal forwarder from the command line for a list of all available command line flags.

## Example of remote installation with a static configuration

### Install as the local system user, set the Splunk admin password to "Ch@ng3d!", get events from the Security event log channel, and forward those events to an indexer

This example sets the universal forwarder to run as the Local System user, get events from the Windows Security and System event logs, send data to indexer1, and launch automatically:

msiexec.exe /i splunkuniversalforwarder_x86.msi RECEIVING_INDEXER="indexer1:9997" SPLUNKPASSWORD=Ch@ng3d! WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 AGREETOLICENSE=Yes /quiet


### Install with a secure configuration by specifying certificate files and authority

This example installs a secure configuration and specifies an SSL certificate:

msiexec.exe /i splunkuniversalforwarder.msi CERTFILE=<c:\path\to\certfile.pem> ROOTCACERTFILE=<c:\path\to\rootcacertfile.pem> CERTPASSWORD=<password> SPLUNKPASSWORD=MyNewPassword RECEIVING_INDEXER="indexer1:9997" WINEVENTLOG_SEC_ENABLE=1 AGREETOLICENSE=yes


## Test the deployment

A Splunk best practice is to install a universal forwarder on one host and confirm that it works before installing forwarders on additional hosts.

1. After installing the forwarder, ensure that it gets the desired data and sends it to the indexer.
2. After you confirm that the forwarder works the way you want, continue installation of the forwarder software on the remaining hosts.