Install a Windows universal forwarder remotely with a static configuration
You can install a universal forwarder remotely onto a Windows host with a static configuration.
There are several scenarios where you would install a universal forwarder with a static configuration:
- You don't need to change the configuration later.
- You will make any post-installation changes with a non-Splunk deployment tool such as System Center Configuration Manager, Altris, or BigFix/Tivoli.
For this type of installation, install the universal forwarder from the command line. Specify all configuration options and use silent mode (
/quiet). See Install a Windows universal forwarder from the command line for instructions and a list of installation flags that the installer supports.
Install the universal forwarder with a static configuration
After you download the universal forwarder and plan your installation, install the forwarder:
- Install and configure the universal forwarder on a test machine, using the command line interface and the flags you want.
- Test and tune the installation.
- Load the universal forwarder MSI file into your software deployment tool.
- Specify the tested flags with your deployment tool.
- Execute installation with your deployment tool.
Required installation flags
When you install a universal forwarder with a static configuration, specify the
/quiet flag and a minimum of the following flags:
SPLUNKPASSWORD=<password for 'admin' user that you create>
If you do not plan to install an add-on into the forwarder, you also must include at least one data input flag, such as
WINEVENTLOG_APP_ENABLE=1. See Install a Windows universal forwarder from the command line for a list of all available command line flags.
Example of remote installation with a static configuration
Install as the local system user, set the Splunk admin password to "Ch@ng3d!", get events from the Security event log channel, and forward those events to an indexer
This example sets the universal forwarder to run as the Local System user, get events from the Windows Security and System event logs, send data to
indexer1, and launch automatically:
msiexec.exe /i splunkuniversalforwarder_x86.msi RECEIVING_INDEXER="indexer1:9997" SPLUNKPASSWORD=Ch@ng3d! WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 AGREETOLICENSE=Yes /quiet
This example installs a secure configuration and specifies an SSL certificate:
msiexec.exe /i splunkuniversalforwarder.msi CERTFILE=<c:\path\to\certfile.pem> ROOTCACERTFILE=<c:\path\to\rootcacertfile.pem> CERTPASSWORD=<password> SPLUNKPASSWORD=MyNewPassword RECEIVING_INDEXER="indexer1:9997" WINEVENTLOG_SEC_ENABLE=1 AGREETOLICENSE=yes
For more information, see the list of supported command line flags.
Test the deployment
A Splunk best practice is to install a universal forwarder on one host and confirm that it works before installing forwarders on additional hosts.
- After installing the forwarder, ensure that it gets the desired data and sends it to the indexer.
- After you confirm that the forwarder works the way you want, continue installation of the forwarder software on the remaining hosts.
Install a Windows universal forwarder from a ZIP file
Install a *nix universal forwarder
This documentation applies to the following versions of Splunk® Universal Forwarder: 188.8.131.52, 8.2.4, 8.2.5
Feedback submitted, thanks!