Splunk® Universal Forwarder

Forwarder Manual

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of Splunk® Universal Forwarder. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Install a Windows universal forwarder remotely with a static configuration

You can install a universal forwarder remotely onto a Windows host with a static configuration.

There are several scenarios where you would install a universal forwarder with a static configuration:

  • You don't need to change the configuration later.
  • You will make any post-installation changes with a non-Splunk deployment tool such as System Center Configuration Manager, Altris, or BigFix/Tivoli.

For this type of installation, install the universal forwarder from the command line. Specify all configuration options and use silent mode (/quiet). See Install a Windows universal forwarder from the command line for instructions and a list of installation flags that the installer supports.

Install the universal forwarder with a static configuration

After you download the universal forwarder and plan your installation, install the forwarder:

  1. Install and configure the universal forwarder on a test machine, using the command line interface and the flags you want.
  2. Test and tune the installation.
  3. Load the universal forwarder MSI file into your software deployment tool.
  4. Specify the tested flags with your deployment tool.
  5. Execute installation with your deployment tool.

Required installation flags

When you install a universal forwarder with a static configuration, specify the /quiet flag and a minimum of the following flags:

  • SPLUNKPASSWORD=<password for 'admin' user that you create>
  • RECEIVING_INDEXER="<server:port>"

If you do not plan to install an add-on into the forwarder, you also must include at least one data input flag, such as WINEVENTLOG_APP_ENABLE=1. See Install a Windows universal forwarder from the command line for a list of all available command line flags.

Example of remote installation with a static configuration

Install as the local system user, set the Splunk admin password to "Ch@ng3d!", get events from the Security event log channel, and forward those events to an indexer

This example sets the universal forwarder to run as the Local System user, get events from the Windows Security and System event logs, send data to indexer1, and launch automatically:

msiexec.exe /i splunkuniversalforwarder_x86.msi RECEIVING_INDEXER="indexer1:9997" SPLUNKPASSWORD=Ch@ng3d! WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 AGREETOLICENSE=Yes /quiet

Install with a secure configuration by specifying certificate files and authority

This example installs a secure configuration and specifies an SSL certificate:

msiexec.exe /i splunkuniversalforwarder.msi CERTFILE=<c:\path\to\certfile.pem> ROOTCACERTFILE=<c:\path\to\rootcacertfile.pem> CERTPASSWORD=<password> SPLUNKPASSWORD=MyNewPassword RECEIVING_INDEXER="indexer1:9997" WINEVENTLOG_SEC_ENABLE=1 AGREETOLICENSE=yes

For more information, see the list of supported command line flags.

Test the deployment

A Splunk best practice is to install a universal forwarder on one host and confirm that it works before installing forwarders on additional hosts.

  1. After installing the forwarder, ensure that it gets the desired data and sends it to the indexer.
  2. After you confirm that the forwarder works the way you want, continue installation of the forwarder software on the remaining hosts.
Last modified on 01 December, 2021
Install a Windows universal forwarder from a ZIP file
Install a *nix universal forwarder

This documentation applies to the following versions of Splunk® Universal Forwarder: 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters