Splunk® Universal Forwarder

Forwarder Manual

This documentation does not apply to the most recent version of Splunk® Universal Forwarder. For documentation on the most recent version, go to the latest release.

Install a Windows universal forwarder

If you are a Windows user, you can either install the Universal Forwarder using an installer or the command line. The installer is recommended for larger deployments, and the command line is recommended for smaller deployments:

Install a Windows universal forwarder from an installer

See the following steps to install a Windows universal forwarder from an installer:

  1. Download the universal forwarder from splunk.com. Double-click the MSI file to start the installation.
  2. The first screen of the installer should pop-up. Select the Check this box to accept the License Agreement check box and the check box for either Splunk Enterprise or Splunk Cloud.
  3. To change any of the default installation settings, click the "Customize Options" button. See the following steps. Otherwise, click Next.
    1. (Optional) In the Destination Folder dialog box, click Change to specify a different installation directory.
    2. On the Certificate Information page, click Next as a best practice. Do not specify any parameters.
    3. As a best practice, run the Universal Forwarder as the Local System user and click Next. See "Install as a low-privilege user" for information about securing your system when installing as a local user.
    4. (Optional) Select one or more Windows inputs from the list and click Next.
  4. Create a username and password for your Universal Forwarder administrator account. Check Generate random password to let Splunk generate a password for you.
  5. Do at least one of the following two steps:
    • In the Deployment Server pane, enter a host name or IP address and management port for the deployment server that you want the universal forwarder to connect to and click Next.
    • In the Receiving Indexer pane, enter a host name or IP address and the receiving port for the receiving indexer that you want the universal forwarder to send data to and click Next.
  6. Click Install to proceed with the installation. The installer runs and displays the Installation Completed dialog box. The universal forwarder automatically starts.
  7. From Windows Control Panel, confirm that the SplunkForwarder service runs.

Install a Windows universal forwarder from the command line

If you have enabled Windows auto run, Splunk installation might be failed when the auto run script is failed. As a workaround, you can use cmd /D msiexec.exe /i to install Splunk.

You can install the universal forwarder on a Windows machine from a command prompt or a PowerShell window.

Under some circumstances, the Microsoft installer might present a reboot prompt during the uninstall process. You can safely ignore this request without rebooting.

Install the universal forwarder with installation flags

Review the supported command line flags table to determine the flags you need to accomplish your command line installation task. From a command prompt or PowerShell window, run the msiexec.exe installer program with the appropriate flags, using the following syntax:

msiexec.exe /i splunkuniversalforwarder.msi [<flag>=<value>]...[<flagN>=<value>] Follow the prompts on screen to complete the installation. Panes for flags that you have specified in the command line will not appear.

Install the universal forwarder silently

If your Windows machine has User Account Control (UAC) enabled, you must run a silent installation as a Windows administrator user.

Review the supported command line flags table to determine the flags you need to accomplish the command-line installation task. From a command prompt or PowerShell window, run msiexec.exe with the appropriate flags and add AGREETOLICENSE=yes /quiet to the end of the command string, as follows:

msiexec.exe /i splunkuniversalforwarder.msi [<flag>=<value>]...[<flagN>=<value>] AGREETOLICENSE=yes /quiet

The installation completes silently and the universal forwarder starts if there is no error during installation.

Install the universal forwarder in low-privilege mode

When you install the universal forwarder in low privilege mode, the Windows user that you specify during installation does not need to have administrative level privileges to run the forwarder software on the Windows machine.

There are some caveats to running the forwarder in low-privilege mode:

  • The Windows user that you use to install the forwarder must have local administrator privileges to perform the installation.
  • You do not have administrative access to any resources on either the host or the domain when you run the universal forwarder in low-privilege mode.
  • You might need to add the domain user to additional domain groups in order to access remote resources. Additionally, you might need to add the user to local groups to access local resources that only privileged users would have access to.
  • You cannot collect Windows Management Instrumentation (WMI) data as a non-admin user.
  1. Review the supported command line flags table to determine the flags you need to accomplish the command-line installation task.
  2. From a command prompt or PowerShell window, run msiexec.exe with the appropriate flags and add LOGON_USERNAME = <username> LOGON_PASSWORD = <password> SET_ADMIN_USER = 0 to the end of the command string.
    msiexec.exe /i splunkuniversalforwarder.msi [<flag>=<value>]...[<flagN>=<value>] LOGON_USERNAME=<username> LOGON_PASSWORD=<password> SET_ADMIN_USER=0
  3. (Optional) If you want to perform a silent installation, append AGREETOLICENSE=yes /quiet to the end of the command line string.
    msiexec.exe /i splunkuniversalforwarder.msi [<flag>=<value>]...[<flagN>=<value>] LOGON_USERNAME=<username> LOGON_PASSWORD=<password> SET_ADMIN_USER=0 AGREETOLICENSE=yes /quiet
  4. You can optionally install windows as an MSA/gMSA user. To create the installation user: 
    LOGON_USERNAME=domain\msa$ is the install user, with {domain name}\{msa account name}$ format.

    Please note that the last $ is required by Windows.

  5. Follow the prompts on screen to complete the installation. Installer configuration panes for flags that you have specified in the command line do not appear.

The forwarder installs and runs in "low-privilege" mode.

Install the universal forwarder and enable verbose logging during installation

For more information on the msiexec logging command, see To set logging level on MS TechNet.

  1. Review the supported command line flags table to determine the flags you need to accomplish your command-line installation task.
  2. From a command prompt or PowerShell window, run the msiexec.exe installer program with the appropriate flags, using the following syntax:
    msiexec.exe /i splunkuniversalforwarder.msi [<flag>=<value>]...[<flagN>=<value>] /L*v logfile.txt
  3. Follow the prompts on screen to complete the installation. Installer configuration panes for flags that you have specified in the command line do not appear.

Examples

Install the universal forwarder silently, agree to the license, and set the forwarder admin credentials to "SplunkAdmin/Ch@ng3d!"

You should always create a password for the Splunk admin user. If you do not, then the universal forwarder can start with no defined users, which means that you cannot log in or make changes to the initial forwarder configuration. 

msiexec.exe /i splunkforwarder_x64.msi AGREETOLICENSE=yes SPLUNKUSERNAME=SplunkAdmin SPLUNKPASSWORD=Ch@ng3d! /quiet

Install the universal forwarder to run as the Local System user and request configuration from deploymentserver1

You might do this for new deployments of the forwarder. 

msiexec.exe /i splunkuniversalforwarder_x86.msi DEPLOYMENT_SERVER="deploymentserver1:8089" AGREETOLICENSE=Yes /quiet

Install the universal forwarder to run as a domain user, but do not launch it immediately

You might do this when preparing a sample host for cloning. 

msiexec.exe /i splunkuniversalforwarder_x86.msi LOGON_USERNAME="AD\splunk" LOGON_PASSWORD="splunk123" DEPLOYMENT_SERVER="deploymentserver1:8089" LAUNCHSPLUNK=0 AGREETOLICENSE=Yes /quiet

Install the universal forwarder, enable indexing of the Windows security and system event logs, and run the installer in silent mode

You might do this to collect just the Security and System event logs through a silent installation. 

msiexec.exe /i splunkuniversalforwarder_x86.msi RECEIVING_INDEXER="indexer1:9997" WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 AGREETOLICENSE=Yes /quiet

Install the universal forwarder in low-privilege mode and enable verbose installation logging to a log file

You might do this when you need to run the forwarder as a user who does not have administrative privileges on the local server. 

msiexec.exe /i splunkuniversalforwarder_x64.msi /l*v install_splunkforwarder-6.1-201357-x64-release.msi.log LOGON_USERNAME=adtest1\lowpriv-testuser LOGON_PASSWORD=win1@splunk 
AGREETOLICENSE=Yes SET_ADMIN_USER=0 /quiet

Supported commandline flags

Command-line flags let you configure your forwarder at installation time. Using command-line flags, you can specify a number of settings, including:

  • The user the universal forwarder runs as. (When you specify this flag, confirm the user you specify has the appropriate permissions to access the content you want to forward.)
  • Whether or not the forwarder runs in "low-privilege" mode - as a user who does not have local administrative access.
  • The receiving Splunk instance that the universal forwarder will send data to.
  • A deployment server for updating the configuration.
  • The Windows event logs to index.
  • Whether the universal forwarder should start automatically when the installation is completed.

The installer for the full version of Splunk Enterprise has its own set of installation flags. For information on the full Splunk installer, see Install on Windows in the Splunk Enterprise Installation Manual.

The following list shows the flags available and provide a few examples of various configurations.

Flag Purpose Default
AGREETOLICENSE=Yes|No Agrees to the license. You must set this flag to Yes to perform a silent installation. The flag does not work when you click the MSI to start installation. No
INSTALLDIR="<directory_path>" Specifies the installation directory.

Do not install the universal forwarder over an existing installation of full Splunk Enterprise.

C:\Program Files\Splunk
UniversalForwarder
LOGON_USERNAME="<domain\username>"

LOGON_PASSWORD="<pass>"

Provide domain\username and password information for the user to run the SplunkForwarder service. Specify the domain with the username in the format: domain\username. If you don't include these flags, the universal forwarder installs as the Local System user. n/a
RECEIVING_INDEXER="<host:port>" (Optional) Specify the receiving indexer to which the universal forwarder will forward data. Enter the name (host name or IP address) and receiving port of the receiver. This flag accepts only a single receiver. To specify multiple receivers (to implement load balancing), configure this setting through the CLI or outputs.conf.

If you do not specify this flag and also do not specify DEPLOYMENT_SERVER, the universal forwarder cannot determine which indexer to forward to.

 n/a
DEPLOYMENT_SERVER="<host:port>" Specify a deployment server for pushing configuration updates to the universal forwarder. Enter the deployment server name (hostname or IP address) and port.

Note: If you do not specify this flag and also do not specify RECEIVING_INDEXER, the universal forwarder cannot determine which indexer to forward to.

n/a
LAUNCHSPLUNK=1|0 Specify whether the universal forwarder should start when the installation finishes. 1 (yes)
SERVICESTARTTYPE=auto|manual Specify whether the universal forwarder should start when the system reboots.

By setting LAUNCHSPLUNK to 0 and SERVICESTARTTYPE to auto, you will cause the universal forwarder to not start forwarding until the next system boot. This is useful when you want to clone a system image.

 auto
MONITOR_PATH="<directory_path>" Specify a file or directory to monitor. n/a



WINEVENTLOG_APP_ENABLE=1|0

WINEVENTLOG_SEC_ENABLE=1|0

WINEVENTLOG_SYS_ENABLE=1|0

WINEVENTLOG_FWD_ENABLE=1|0

WINEVENTLOG_SET_ENABLE=1|0

Enable these Windows event logs.

application

security

system

forwarders

setup

You can specify more than one of these flags in a command.

0 (no)
PERFMON=<input_type>,<input_type>,... Enable Performance Monitor inputs. <input_type> can be any of these:

cpu memory network diskspace

n/a
ENABLEADMON=1|0 Enable Active Directory monitoring for a remote deployment. 0 (not enabled)


CERTFILE=<c:\path\to\certfile.pem>

ROOTCACERTFILE=<c:\path\to\rootcacertfile.pem>

CERTPASSWORD=<password>

Supply SSL certificates:

Path to the cert file that contains the public/private key pair.

Path to the file that contains the Root CA cert for verifying CERTFILE is legitimate (optional).

Password for private key of CERTFILE (optional).

You must set RECEIVING_INDEXER for these flags to have any effect.

 n/a
CLONEPREP=1|0 Delete any instance-specific data in preparation for creating a clone of a machine. This runs the splunk clone-prep-clear-config CLI command, which removes machine-specific information from configuration files after the instance runs for the first time. 0 (do not prepare the instance for cloning.)
SET_ADMIN_USER=1|0 Specify if the user you specify is an administrator. If you set this flag to 0, the universal forwarder runs in "low-privilege" mode as a user without administrator privileges on the local machine. This mode is available for customers that cannot run programs as an administrator on servers.

You must set both the LOGON_USERNAME and LOGON_PASSWORD flags when you set this flag.

1 (Install the universal forwarder as a user with administrative privileges. The universal forwarder runs in normal mode and not "low-privilege" mode.)
SPLUNKUSERNAME=<username> Create a username for the Splunk administrator user. If you specify a quiet installation with the /quiet flag, and do not specify this setting, then the software uses the default value of admin, but you must still specify a password with the SPLUNKPASSWORD or GENRANDOMPASSWORD flags for the installation to add the credentials successfully. N/A
SPLUNKPASSWORD=<password> Create a password for the Splunk administrator user. The password must meet eligibility requirements and be in plaintext. If you specify a quiet installation with the /quiet flag and do not specify this flag or the SPLUNKUSERNAME flag, and GENRANDOMPASSWORD is 0, then the universal forwarder installs without a user and you must create one by editing the user-seed.conf configuration file." N/A
MINPASSWORDLEN=<positive integer> When using the SPLUNKPASSWORD flag to set a password, you can also set password eligibility requirements for password creation and modification. The MINPASSWORDLEN flag specifies the minimum length that a password must be to meet these eligibility requirements going forward. It cannot be set to 0 or a negative integer. Any new password you create and any existing password you change must meet the new requirements after you set this flag. > 1
MINPASSWORDDIGITLEN=<integer> When using the SPLUNKPASSWORD flag to set a password, you can also set password eligibility requirements for password creation and modification. The MINPASSWORDDIGITLEN flag specifies the minimum number of numeral (0 through 9) characters that a password must contain to meet these eligibility requirements going forward. It cannot be set to a negative integer. Any new password you create and any existing password you change must meet the new requirements after you set this flag. 0
MINPASSWORDLOWERCASELEN=<integer> When using the SPLUNKPASSWORD flag to set a password, you can also set password eligibility requirements for password creation and modification. The MINPASSWORDLOWERCASELEN flag specifies the minimum number of lowercase ('a' through 'z') characters that a password must contain to meet these eligibility requirements going forward. It cannot be set to a negative integer. Any new password you create and any existing password you change must meet the new requirements after you set this flag. 0
MINPASSWORDUPPERCASELEN=<integer> When using the SPLUNKPASSWORD flag to set a password, you can also set password eligibility requirements for password creation and modification. The MINPASSWORDUPPERCASELEN flag specifies the minimum number of uppercase ('A' through 'Z') characters that a password must contain to meet these eligibility requirements going forward. It cannot be set to a negative integer. Any new password you create and any existing password you change must meet the new requirements after you set this flag. 0
MINPASSWORDSPECIALCHARLEN=<integer> When using the SPLUNKPASSWORD flag to set a password, you can also set password eligibility requirements for password creation and modification. The MINPASSWORDSPECIALCHARLEN flag specifies the minimum number of special characters that a password must contain to meet these eligibility requirements going forward. It cannot be set to a negative integer. The ':' (colon) character cannot be used as a special character. Any new password you create and any existing password you change must meet the new requirements after you set this flag. 0
GENRANDOMPASSWORD=1|0 Generate a random password for the admin user and write the password to the installation log file. The installer writes the credentials to %TEMP%\splunk.log. After the installation completes, you can use the findstr utility to search that file for the word "PASSWORD". After you get the credentials, delete the installation log file, as retaining the file represents a significant security risk. 1
Last modified on 29 March, 2023
Deploy the universal forwarder   Install a *nix universal forwarder

This documentation applies to the following versions of Splunk® Universal Forwarder: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters