Splunk® Universal Forwarder

Forwarder Manual

Install a Windows universal forwarder

Install a Windows universal forwarder using an installer or the command line. Use the installer for larger deployments and the command line for smaller deployments. Before you begin, see the universal forwarder deployment prerequisites. See Deploy the universal forwarder for a list of high-level steps to take before and after installing the universal forwarder.

You can choose from the following installation methods:

Version 9.1.0 deprecates version 3 of the Splunk-to-Splunk protocol. Upgrade all of your instances if possible, but if you must use the old version of the Splunk-to-Splunk protocol, refer to the Troubleshooting guide. With the deprecation introduced in 9.1.0, the latest forwarders will not communicate with the indexers running Splunk 7.0 or lower.

About the least-privileged user

For security purposes, avoid running the universal forwarder as a local system account or domain user, as it provides the user with high-risk permissions that aren't needed. When you install version 9.1 or higher of the universal forwarder, the installer creates a virtual account as a "least- privileged" user called splunkforwarder, which provides only the capabilities necessary to run the universal forwarder.

Since local user groups are not available on the domain controller, the GROUPPERFORMANCEMONITORUSERS flag is unavailable, which might affect WMI/perfmon inputs. To mitigate input issues,, when you're installing with the installer, the default account is the local system on the domain controller.

If you choose a different account to run the universal forwarder during installation, the universal forwarder service varies based on your choice:

  • If you choose Local System, the universal forwarder runs Windows administrator full privilege.
  • If you choose a domain account with Windows administrator privilege, the universal forwarder runs Windows administrator full privilege.
  • If you choose a domain account without Windows administrator privilege, you select the privilege.

Once you choose a non-administrator user to run the universal forwarder, this user becomes a "least privilege user" with limited permissions on Windows.

Security and performance implications for least privileged user

Least privilege mode is enabled to read any file permission on Windows version 9.1.0 and later.

A non-root or non-admin user that cannot access some files before upgrade to least privilege user may be able to access those files after upgrade in the following situations:

  • You upgrade the universal forwarder from an old version to a least privilege version.
  • Before upgrade, your universal forwarder is running as non-root or non-local administrator.
  • Prior to upgrade, you have inputs to monitor a directory with many files, or inputs with scripts to read many files, where users have no permission to access those files.

In addition to security issues, this can also lead to performance issues; since the universal forwarder is able to read far more files than before, more resources such as CPU, memory, and disk input/output are consumed.

  • You can resolve this on Windows in one of two ways:
    • During installation, you can use PRIVILEGEBACKUP=0.
    • After installation, you can remove the SeBackupPrivilege capability from Windows local security policy. See your Microsoft documentation for more information.

Install a Windows universal forwarder from an installer

To install a Windows universal forwarder from an installer:

  1. Download the Splunk universal forwarder from splunk.com. Select the MSI file to start the installation.
  2. On the first screen of the installer, select Check this box to accept the License Agreement and select whether you are installing on Splunk Enterprise or Splunk Cloud Platform.
  3. Select Next to create an administrator account.
  1. Select "Customize options" to optionally change the following:
  2. In the Destination Folder dialog box, select Change and specify a different installation directory.
  3. On the Certificate Information page, select Next as a best practice. Do not specify any parameters.
  4. By default the universal forwarder is installed with a least-privileged user. You can use the radio buttons to change the account on which the universal forwarder runs.
  5. To allow your least privileged user to enable universal forwarder features, grant all or some of the following permissions in the dialog box: Grant Windows privileges to enable universal forwarder features:
    Permission Function
    SeBackupPrivilege Check to grant the least privileged user READ(not WRITE) permissions for files.
    SeSecurityPrivilege Check to allow the user to collect Windows security event logs.
    SeImpersonatePrivilege Check to enable the capability to add the least privilege user to new Windows users/groups after the universal forwarder installation. This grants more permissions to the universal forwarder to collect data from secure sources.

    Grant Windows groups privileges to enable universal forwarder features:

    Permission Function
    Performance Monitor Users Check for WMI/perfmon inputs to collect performance data.
  6. Create credentials for your administrator account. The default username is "Admin" and you can check Generate a password to automatically create a password. You can also manually create your own username and password.
  7. Perform one of the following steps depending upon your requirements:
    • In the Deployment Server pane, enter a host name or IP address and management port for the deployment server that you want the universal forwarder to connect to and select Next.
    • In the Receiving Indexer pane, enter a host name or IP address and the receiving port for the receiving indexer that you want the universal forwarder to send data to and select Next.
  8. Select Install. The installer runs and displays the Installation Completed dialog box. The universal forwarder automatically starts.
  9. From the Windows Control Panel, confirm that the SplunkForwarder service is running.

Install a Windows universal forwarder from the command line

You can install the universal forwarder on a Windows machine from a command prompt or a PowerShell window.

Note the following when installing from the command line:

  • When installing version 9.1 with the command line, the default account on the domain controllers is the local system. If USE_VIRTUAL_ACCOUNT or LOGON_USERNAME is enabled, then GROUPPERFORMANCEMONITORUSERS must be 0, otherwise the installation fails. If you have problems on WMI/perfmon inputs, see the Troubleshooting topic.
  • If you have enabled Windows autorun, Splunk installation might fail if the autorun script fails. As a workaround, you can use cmd /D msiexec.exe /i to install Splunk.
  • You can install the universal forwarder on a Windows machine from a command prompt or a PowerShell window.
  • In some circumstances, the Microsoft installer might present a reboot prompt during the uninstall process. You can safely ignore the reboot request without rebooting.

Install the universal forwarder with installation flags

Review the supported command line flags table to determine the flags you need to accomplish your command line installation task.

From a command prompt or PowerShell window, run the msiexec.exe installer program with the appropriate flags, using the following syntax:

msiexec.exe /i splunkuniversalforwarder.msi [<flag>=<value>]...[<flagN>=<value>]

Follow the prompts on screen to complete the installation. Panes for flags that you have specified in the command line do not appear.

Install the universal forwarder silently

If your Windows machine has User Account Control (UAC) enabled, you must run a silent installation as a Windows administrator user.

Review the supported command line flags table to determine the flags you need to accomplish the command-line installation task.

From a command prompt or PowerShell window, run msiexec.exe with the appropriate flags and add AGREETOLICENSE=yes /quiet to the end of the command string, as follows:

msiexec.exe /i splunkuniversalforwarder.msi [<flag>=<value>]...[<flagN>=<value>] AGREETOLICENSE=yes /quiet

The installation completes silently and the universal forwarder starts if there is no error during installation.

Install the universal forwarder and enable verbose logging during installation

For more information on the msiexec logging command, see To set logging level on MS TechNet.

  1. Review the supported command line flags table to determine the flags you need to accomplish your command-line installation task.
  2. From a command prompt or PowerShell window, run the msiexec.exe installer program with the appropriate flags, using the following syntax:
    msiexec.exe /i splunkuniversalforwarder.msi [<flag>=<value>]...[<flagN>=<value>] /L*v logfile.txt
    
  3. Follow the prompts on screen to complete the installation. Installer configuration panes for flags that you have specified in the command line do not appear.

Examples

Install the universal forwarder silently, agree to the license, and set the forwarder admin credentials to "SplunkAdmin/Ch@ng3d!"

Always create a password for the Splunk admin user. If you do not, then the universal forwarder can start with no defined users, which means that you cannot log in or make changes to the initial forwarder configuration.

msiexec.exe /i splunkforwarder_x64.msi AGREETOLICENSE=yes SPLUNKUSERNAME=SplunkAdmin SPLUNKPASSWORD=Ch@ng3d! /quiet

Install the universal forwarder to run as the Local System user and request configuration from deploymentserver1

You might do this for new deployments of the forwarder.

msiexec.exe /i splunkuniversalforwarder_x86.msi DEPLOYMENT_SERVER="deploymentserver1:8089" AGREETOLICENSE=Yes /quiet

Install the universal forwarder to run as a domain user, but do not launch it immediately

You might do this when preparing a sample host for cloning.

msiexec.exe /i splunkuniversalforwarder_x86.msi LOGON_USERNAME="AD\splunk" LOGON_PASSWORD="splunk123" DEPLOYMENT_SERVER="deploymentserver1:8089" LAUNCHSPLUNK=0 AGREETOLICENSE=Yes /quiet

Install the universal forwarder, enable indexing of the Windows security and system event logs, and run the installer in silent mode

You might perform this task to collect just the Security and System event logs through a silent installation.

msiexec.exe /i splunkuniversalforwarder_x86.msi RECEIVING_INDEXER="indexer1:9997" WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 AGREETOLICENSE=Yes /quiet

Supported command line flags

Use command-line flags to configure your forwarder at installation time. Use command-line flags to specify a number of settings, including:

  • The user the universal forwarder runs as. (When you specify a flag, confirm the user you specify has the appropriate permissions to access the content you want to forward.)
  • The receiving Splunk instance to which the universal forwarder will send data.
  • A deployment server for updating the configuration.
  • The Windows event logs that the forwarder will index.
  • Whether the universal forwarder will start automatically when the installation is completed.

The installer for the full version of Splunk Enterprise has its own set of installation flags. For information on the full Splunk installer, see Install on Windows in the Splunk Enterprise Installation Manual.

The following list shows the flags available and provides a few examples of various configurations.

Flag Purpose Default
AGREETOLICENSE Agrees to the license. You must set AGREETOLICENSE to Yes to perform a silent installation. The flag does not work when you click the MSI to start installation. No
INSTALLDIR="<directory_path>" Specifies the installation directory. Do not install the universal forwarder over an existing installation of full Splunk Enterprise. C:\Program Files\Splunk
UniversalForwarder
LOGON_USERNAME="<domain\username>"

LOGON_PASSWORD="<pass>"

Provide domain\username and password information for the user to run the SplunkForwarder service. Specify the domain with the username in the format: domain\username. If you don't include these flags, the universal forwarder installs as the Local System user. n/a
RECEIVING_INDEXER="<host:port>" (Optional) Specify the receiving indexer to which the universal forwarder will forward data. Enter the name (hostname or IP address) and receiving port of the receiver. RECEIVING_INDEXER="<host:port>" accepts only a single receiver. To specify multiple receivers (to implement load balancing), configure your setting through the CLI or outputs.conf.

If you do not specifyRECEIVING_INDEXER="" and also do not specify DEPLOYMENT_SERVER, the universal forwarder cannot determine which indexer to forward to.

n/a
DEPLOYMENT_SERVER="<host:port>" Specify a deployment server for pushing configuration updates to the universal forwarder. Enter the deployment server name (hostname or IP address) and port.

Note: If you do not specify DEPLOYMENT_SERVER="<host:port>" and also do not specify RECEIVING_INDEXER, the universal forwarder cannot determine the receiving indexer.

n/a
LAUNCHSPLUNK Specify whether the universal forwarder starts when the installation finishes. 1 (yes)
SERVICESTARTTYPE Specify whether the universal forwarder starts when the system reboots.

By setting LAUNCHSPLUNK to 0 and SERVICESTARTTYPE to auto, the universal forwarder does not start forwarding until the next system boot. This is useful when you want to clone a system image.

auto
MONITOR_PATH="<directory_path>" Specify a file or directory to monitor. n/a
WINEVENTLOG_APP_ENABLE=

WINEVENTLOG_SEC_ENABLE WINEVENTLOG_SYS_ENABLE WINEVENTLOG_FWD_ENABLE WINEVENTLOG_SET_ENABLE

Enable these Windows event logs.
  • application
  • security
  • system
  • forwarders
  • setup

You can specify more than one of these flags in a command.

0 (no)
PERFMON=<input_type>,<input_type>,... Enable Performance Monitor inputs. <input_type> can be any of these:

cpu memory network diskspace

n/a
ENABLEADMON Enable Active Directory monitoring for a remote deployment. 0 (not enabled)
* CERTFILE=<c:\path\to\certfile.pem>
  • ROOTCACERTFILE=<c:\path\to\rootcacertfile.pem>
  • CERTPASSWORD=<password>
Supply SSL certificates:
  • Path to the cert file that contains the public/private key pair.
  • (Optional) Path to the file that contains the Root CA certificate for verifying CERTFILE is legitimate.
  • Password for private key of CERTFILE (optional).

You must set RECEIVING_INDEXER for these flags to have any effect.

n/a
CLONEPREP Delete any instance-specific data in preparation for creating a clone of a machine. This runs the splunk clone-prep-clear-config CLI command, which removes machine-specific information from configuration files after the instance runs for the first time. 0 (do not prepare the instance for cloning.)
SET_ADMIN_USER Specify if the user you specify is an administrator.

You must set both the LOGON_USERNAME and LOGON_PASSWORD flags when you set SET_ADMIN_USER.

0
SPLUNKUSERNAME Create a username for the Splunk administrator user. If you use the /quiet flag to specify a quiet installation and do not specify SPLUNKUSERNAME, then the software uses the default value of admin. You must still specify a password with the SPLUNKPASSWORD or GENRANDOMPASSWORD flags for the installation to add the credentials successfully. N/A
SPLUNKPASSWORD Create a password for the Splunk administrator user. The password must meet eligibility requirements and be in plain text. If you specify a quiet installation with the /quiet flag and do not specify SPLUNKPASSWORD or the SPLUNKUSERNAME flag, and GENRANDOMPASSWORD is 0, then the universal forwarder installs without a user and you must create one by editing the user-seed.conf configuration file. N/A
SPLUNKPASSWORD When you set a password using the SPLUNKPASSWORD flag, you can also set password eligibility requirements for password creation and modification. The MINPASSWORDLEN flag specifies the minimum length that a password must be to meet these eligibility requirements. You cannot set SPLUNKPASSWORD to 0 or a negative integer. Any new password you create and any existing password you change must meet the new requirements after you set SPLUNKPASSWORD. > 1
MINPASSWORDDIGITLEN When you set a password using the SPLUNKPASSWORD flag, you can also set password eligibility requirements for password creation and modification. The MINPASSWORDDIGITLEN flag specifies the minimum number of numeral (0 through 9) characters that a password must contain to meet these eligibility requirements. It cannot be set to a negative integer. Any new password you create and any existing password you change must meet the new requirements after you set this flag. 0
MINPASSWORDLOWERCASELEN When you set a password using the SPLUNKPASSWORD flag, you can also set password eligibility requirements for password creation and modification. The MINPASSWORDLOWERCASELEN flag specifies the minimum number of lowercase ('a' through 'z') characters that a password must contain to meet these eligibility requirements going forward. It cannot be set to a negative integer. Any new password you create and any existing password you change must meet the new requirements after you set this flag. 0
MINPASSWORDUPPERCASELEN When you set a password using the SPLUNKPASSWORD flag, you can also set password eligibility requirements for password creation and modification. The MINPASSWORDUPPERCASELEN flag specifies the minimum number of uppercase ('A' through 'Z') characters that a password must contain to meet these eligibility requirements going forward. It cannot be set to a negative integer. Any new password you create and any existing password you change must meet the new requirements after you set this flag. 0
MINPASSWORDSPECIALCHARLEN=<integer> When you set a password using the SPLUNKPASSWORD flag, you can also set password eligibility requirements for password creation and modification. The MINPASSWORDSPECIALCHARLEN flag specifies the minimum number of special characters that a password must contain to meet these eligibility requirements going forward. It cannot be set to a negative integer. The ':' (colon) character cannot be used as a special character. Any new password you create and any existing password you change must meet the new requirements after you set this flag. 0
GENRANDOMPASSWORD Generate a random password for the admin user and write the password to the installation log file. The installer writes the credentials to %TEMP%\splunk.log. After the installation completes, you can use the findstr utility to search that file for the word "PASSWORD". After you get the credentials, delete the installation log file, as retaining the file represents a significant security risk. 1
USE_LOCAL_SYSTEM Install the universal forwarder as a local system 0
PRIVILEGEBACKUP Grant the Windows privilege SeBackupPrivilege to allow file monitor inputs to read(not write) any files. 1
PRIVILEGESECURITY Grant the Windows privilege SeSecurityPrivilege to allow WinEventLog inputs to collect security event logs. 1
PRIVILEGEIMPERSONATE Grant the Windows privilege SeImpersonatePrivilege to allow customers grant more permissions for UF by manually adding UF user to other local user/security groups.


Without this SeImpersonatePrivilege privilege, you might not be able to grant more permissions by adding the Splunk forwarder user to any Windows group. This includes the Windows builtin group Performance Monitor Users (as mentioned in the next row) to enable WMI & perfmon inputs.

1
GROUPPERFORMANCEMONITORUSERS Add universal forwarder user to Windows Performance Monitor Users to allow WMI and perfmon inputs to collect data. 1

Troubleshooting

By default, the universal forwarder uses a local system account on the domain controller and as of 9.1, the default user is the least privileged user. Since the universal forwarder user is not added to the local admin group by default, you might experience permission issues, particularly if you have installed any custom add-ons that require additional permissions. You can manually grant the additional permissions by adding the universal forwarder user to user groups:

Last modified on 12 July, 2024
Deploy the universal forwarder   Install a *nix universal forwarder

This documentation applies to the following versions of Splunk® Universal Forwarder: 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.2.0, 9.2.1, 9.2.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters