Splunk® Universal Forwarder

Forwarder Manual

Install a Windows universal forwarder

Install a Windows universal forwarder using an installer or the command line. Use the installer for larger deployments and the command line for smaller deployments. Before you begin, see the universal forwarder deployment prerequisites. See Deploy the universal forwarder for a list of high-level steps to take before and after installing the universal forwarder.

You can choose from the following installation methods:

Version 9.1.0 and higher does not work with version 3 of the Splunk-to-Splunk protocol. Upgrade all of your instances if possible, but if you must use the old version of the Splunk-to-Splunk protocol, see the Troubleshooting guide. The latest forwarders will not communicate with the indexers running Splunk Enterprise 7.0 or lower.

About the least-privileged user

Do not run the universal forwarder as a local system account or domain user, as doing this would provide the user with high-risk permissions that aren't necessarily needed. When you install version 9.1 or higher of the universal forwarder, the installer creates a virtual account as a "least- privileged" user called splunkforwarder, which provides only the capabilities necessary to run the universal forwarder.

Since local user groups are not available on the domain controller, the GROUPPERFORMANCEMONITORUSERS flag is unavailable, which might affect Windows Management Instrumentation and performance monitor inputs. To mitigate input issues, when you're installing with the installer make the default account the local system on the domain controller.

If you choose a different account to run the universal forwarder during installation, the universal forwarder service varies based on your choice:

Once you choose a non-administrator user to run the universal forwarder, this user becomes a "least privileged user" with limited permissions on Windows.


Security and performance implications for least privileged user

Least privilege mode is enabled to read any file on Windows version 9.1.0 and later. A non-admin user that cannot access some files before turning on least privilege mode might be able to access those files after enablement in the following situations:

  • You upgrade the universal forwarder from an older version to a version that supports least privilege mode.
  • Before upgrade, your universal forwarder runs as a non-local administrator.
  • Prior to upgrade, you have inputs to monitor a directory with many files, or inputs with scripts to read many files, where users have no permission to access those files.

Since the universal forwarder is able to read far more files than before, the forwarder consumes more resources such as CPU, memory, and disk input/output. You can resolve this on Windows in one of two ways:

  • During installation, you can use the PRIVILEGEBACKUP=0 installation configuration flag.
  • After installation, you can remove the SeBackupPrivilege capability from the Windows local security policy. See the Microsoft documentation for more information.

Manage SePrivilegeUser permissions

On Windows, the SeSecurityPrivilege privilege is READ/WRITE by design, This means that the user with this privilege can modify and delete Security Event Logs.

If you do not want your least-privileged user to be able to modify Security Event Logs, do not grant the SeSecurityPrivilege privilege. Instead, update the EventlogReaders group with a user that has permissions to run the universal forwarder. Add the least privileged user to the Windows "EventLogReaders" group manually so that it has read only permission to collect security event logs.

If a universal forwarder is running on Domain Controllers, the "EventLogReaders" group is not available by Windows design because there is no local user or group on the domain controller. In this case, the SeSecurityPrivilege is your best option.

Install a Windows universal forwarder from an installer

To install a Windows universal forwarder from an installer:

  1. Download the Splunk universal forwarder from splunk.com. Select the MSI file to start the installation.
  2. On the first screen of the installer, select Check this box to accept the License Agreement and select whether you are installing on Splunk Enterprise or Splunk Cloud Platform.
  3. Select Next to create an administrator account.
  1. Select "Customize options" to optionally change the following:
  2. In the Destination Folder dialog box, select Change and specify a different installation directory.
  3. On the Certificate Information page, select Next as a best practice. Do not specify any parameters.
  4. By default the universal forwarder is installed with a least-privileged user. You can use the radio buttons to change the account on which the universal forwarder runs.
  5. To allow the least privileged user to enable universal forwarder features, grant all or some of the following permissions in the dialog box: Grant Windows privileges to enable universal forwarder features:
    Permission Function
    SeBackupPrivilege Select to grant the least privileged user READ ONLY permissions for files.
    SeSecurityPrivilege Select to allow the user to collect Windows security event logs. NOTE: The SeSecurityPrivilege permissions are READ/WRITE by design on Windows. This means that the user can also modify and delete Security Event Logs. To mitigate this issue, see "Manage SePrivilegeUser permissions" in this topic.
    SeImpersonatePrivilege Select to enable the capability to add the least privilege user to new Windows users/groups after the universal forwarder installation. This grants more permissions to the universal forwarder to collect data from secure sources.

    Grant Windows groups privileges to enable universal forwarder features:

    Permission Function
    Performance Monitor Users Select for WMI/perfmon inputs to collect performance data.
  6. Create credentials for your administrator account. The default username is "Admin" and you can check Generate a password to automatically create a password. You can also manually create your own username and password.
  7. Perform one of the following steps depending upon your requirements:
    • In the Deployment Server pane, enter a host name or IP address and management port for the deployment server that you want the universal forwarder to connect to and select Next.
    • In the Receiving Indexer pane, enter a host name or IP address and the receiving port for the receiving indexer that you want the universal forwarder to send data to and select Next.
  8. Select Install. The installer runs and displays the Installation Completed dialog box. The universal forwarder automatically starts.
  9. From the Windows Control Panel, confirm that the SplunkForwarder service is running.

Install a Windows universal forwarder from the command line

You can install the universal forwarder on a Windows machine from a command prompt or a PowerShell window.

Note the following when installing from the command line:

  • When installing version 9.1.0 and higher of the universal forwarder with the command line, the default account on the domain controllers is the local system. If the USE_VIRTUAL_ACCOUNT or LOGON_USERNAME flags is enabled, then the GROUPPERFORMANCEMONITORUSERS flag must be 0, otherwise the installation fails. If you have problems on WMI/perfmon inputs, see the Troubleshooting topic.
  • If you have enabled Windows to automatically run scripts, Splunk installation might fail if the autorun script fails. As a workaround, you can install the forwarder with the following command: cmd /D msiexec.exe /i.
  • You can install the universal forwarder on a Windows machine from a command prompt or a PowerShell window.
  • In some circumstances, the Microsoft installer might present a reboot prompt during the uninstall process. You can safely ignore the reboot request without rebooting.

Install the universal forwarder with installation flags

Review the supported command line flags table to determine the flags you need to accomplish your command line installation task.

From a command prompt or PowerShell window, run the msiexec.exe installer program with the appropriate flags, using the following syntax:

msiexec.exe /i splunkuniversalforwarder.msi [<flag>=<value>]...[<flagN>=<value>]

Follow the prompts on screen to complete the installation. Panes for flags that you have specified in the command line do not appear.

Install the universal forwarder silently

If your Windows machine has User Account Control (UAC) enabled, you must run a silent installation as a Windows administrator user.

Review the supported command line flags table to determine the flags you need to accomplish the command-line installation task.

From a command prompt or PowerShell window, run msiexec.exe with the appropriate flags and add AGREETOLICENSE=yes /quiet to the end of the command string, as follows:

msiexec.exe /i splunkuniversalforwarder.msi [<flag>=<value>]...[<flagN>=<value>] AGREETOLICENSE=yes /quiet

The installation completes silently and the universal forwarder starts if there is no error during installation.

Install the universal forwarder and enable verbose logging during installation

For more information on the msiexec logging command, see To set logging level on MS TechNet.

  1. Review the supported command line flags table to determine the flags you need to accomplish your command-line installation task.
  2. From a command prompt or PowerShell window, run the msiexec.exe installer program with the appropriate flags, using the following syntax:
    msiexec.exe /i splunkuniversalforwarder.msi [<flag>=<value>]...[<flagN>=<value>] /L*v logfile.txt
  3. Follow the prompts on screen to complete the installation. Installer configuration panes for flags that you have specified in the command line do not appear.

Examples

Install the universal forwarder silently, agree to the license, and set the forwarder admin credentials to "SplunkAdmin/Ch@ng3d!"

Always create a password for the Splunk admin user. If you do not, then the universal forwarder can start with no defined users, which means that you cannot log in or make changes to the initial forwarder configuration. 

msiexec.exe /i splunkforwarder_x64.msi AGREETOLICENSE=yes SPLUNKUSERNAME=SplunkAdmin SPLUNKPASSWORD=Ch@ng3d! /quiet

Install the universal forwarder to run as the Local System user and request configuration from deployment server deploymentserver1

You might do this for new deployments of the forwarder. 

msiexec.exe /i splunkuniversalforwarder_x86.msi DEPLOYMENT_SERVER="deploymentserver1:8089" AGREETOLICENSE=Yes /quiet

Install the universal forwarder to run as a domain user, but do not launch it immediately

You might do this when you are preparing a machine to clone the forwarder software. 

msiexec.exe /i splunkuniversalforwarder_x86.msi LOGON_USERNAME="AD\splunk" LOGON_PASSWORD="splunk123" DEPLOYMENT_SERVER="deploymentserver1:8089" LAUNCHSPLUNK=0 AGREETOLICENSE=Yes /quiet

Install the universal forwarder, enable indexing of the Windows security and system event logs, and run the installer in silent mode

You might run this command to collect the Security and System event logs without any prompts during the installation.. 

msiexec.exe /i splunkuniversalforwarder_x86.msi RECEIVING_INDEXER="indexer1:9997" WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 AGREETOLICENSE=Yes /quiet

Supported command line flags

Use command-line flags to configure your forwarder at installation time. The flags specify settings that include:

  • The user the universal forwarder runs as. (When you specify a flag, confirm the user you specify has the appropriate permissions to access the content you want to forward.)
  • The receiving Splunk instance to which the universal forwarder will send data.
  • A deployment server for updating the forwarder configuration.
  • The Windows event logs that the forwarder will index.
  • Whether the universal forwarder will start automatically when the installation is completed.

The installer for the full version of Splunk Enterprise has its own set of installation flags. For information on the full Splunk Enterprise installer, see Install on Windows in the Splunk Enterprise Installation Manual.

The following list shows the flags available and provides a few examples of various configurations.

Flag Purpose Default
AGREETOLICENSE Agrees to the license. You must set AGREETOLICENSE to Yes to perform a silent installation. The flag does not work when you click the MSI to start installation. No
INSTALLDIR="<directory_path>" Specifies the installation directory. Do not install the universal forwarder over an existing installation of full Splunk Enterprise. C:\Program Files\Splunk
UniversalForwarder
LOGON_USERNAME="<domain\username>"

LOGON_PASSWORD="<pass>"

Provide domain\username and password information for the user to run the SplunkForwarder service. Specify the domain with the username in the format: domain\username. If you don't include these flags, the universal forwarder installs to run as the Local System user. n/a
RECEIVING_INDEXER="<host:port>" (Optional) Specify the receiving indexer to which the universal forwarder will forward data. Enter the name (hostname or IP address) and receiving port of the receiver. RECEIVING_INDEXER="<host:port>" accepts only a single receiver. To specify multiple receivers (to implement load balancing), configure your setting through the CLI or outputs.conf.

If you do not specifyRECEIVING_INDEXER="" and also do not specify DEPLOYMENT_SERVER, the universal forwarder cannot determine which indexer to forward to.

 n/a
DEPLOYMENT_SERVER="<host:port>" Specify a deployment server for pushing configuration updates to the universal forwarder. Enter the deployment server name (hostname or IP address) and port.

Note: If you do not specify DEPLOYMENT_SERVER="<host:port>" and also do not specify RECEIVING_INDEXER, the universal forwarder cannot determine the receiving indexer.

n/a
LAUNCHSPLUNK Specify whether the universal forwarder starts when the installation finishes. 1 (yes)
SERVICESTARTTYPE Specify whether the universal forwarder starts when the system reboots.

By setting LAUNCHSPLUNK to 0 and SERVICESTARTTYPE to auto, the universal forwarder does not start forwarding until the next system boot. This is useful when you want to clone a system image.

 auto
MONITOR_PATH="<directory_path>" Specify a file or directory to monitor. n/a
WINEVENTLOG_APP_ENABLE=

WINEVENTLOG_SEC_ENABLE WINEVENTLOG_SYS_ENABLE WINEVENTLOG_FWD_ENABLE WINEVENTLOG_SET_ENABLE

Enable these Windows event logs.
  • application
  • security
  • system
  • forwarders
  • setup

You can specify more than one of these flags in a command.

0 (no)
PERFMON=<input_type>,<input_type>,... Enable Performance Monitor inputs. <input_type> can be any of these:

cpu memory network diskspace

n/a
ENABLEADMON Enable Active Directory monitoring for a remote deployment. 0 (not enabled)
* CERTFILE=<c:\path\to\certfile.pem>
  • ROOTCACERTFILE=<c:\path\to\rootcacertfile.pem>
  • CERTPASSWORD=<password>
 Supply SSL certificates:
  • Path to the cert file that contains the public/private key pair.
  • (Optional) Path to the file that contains the Root CA certificate for verifying CERTFILE is legitimate.
  • Password for private key of CERTFILE (optional).

You must set RECEIVING_INDEXER for these flags to have any effect.

 n/a
CLONEPREP Delete any instance-specific data in preparation for creating a clone of a machine. This runs the splunk clone-prep-clear-config CLI command, which removes machine-specific information from configuration files after the instance runs for the first time. 0 (do not prepare the instance for cloning.)
SET_ADMIN_USER Specify if the user you specify is an administrator.

You must set both the LOGON_USERNAME and LOGON_PASSWORD flags when you set SET_ADMIN_USER.

0
SPLUNKUSERNAME Create a username for the Splunk administrator user. If you use the /quiet flag to specify a quiet installation and do not specify SPLUNKUSERNAME, then the software uses the default value of admin. You must still specify a password with the SPLUNKPASSWORD or GENRANDOMPASSWORD flags for the installation to add the credentials successfully. N/A
SPLUNKPASSWORD Create a password for the Splunk administrator user. The password must meet eligibility requirements and be in plain text. If you specify a quiet installation with the /quiet flag and do not specify SPLUNKPASSWORD or the SPLUNKUSERNAME flag, and GENRANDOMPASSWORD is 0, then the universal forwarder installs without a user and you must create one by editing the user-seed.conf configuration file. N/A
SPLUNKPASSWORD When you set a password using the SPLUNKPASSWORD flag, you can also set password eligibility requirements for password creation and modification. The MINPASSWORDLEN flag specifies the minimum length that a password must be to meet these eligibility requirements. You cannot set SPLUNKPASSWORD to 0 or a negative integer. Any new password you create and any existing password you change must meet the new requirements after you set SPLUNKPASSWORD. > 1
MINPASSWORDDIGITLEN When you set a password using the SPLUNKPASSWORD flag, you can also set password eligibility requirements for password creation and modification. The MINPASSWORDDIGITLEN flag specifies the minimum number of numeral (0 through 9) characters that a password must contain to meet these eligibility requirements. It cannot be set to a negative integer. Any new password you create and any existing password you change must meet the new requirements after you set this flag. 0
MINPASSWORDLOWERCASELEN When you set a password using the SPLUNKPASSWORD flag, you can also set password eligibility requirements for password creation and modification. The MINPASSWORDLOWERCASELEN flag specifies the minimum number of lowercase ('a' through 'z') characters that a password must contain to meet these eligibility requirements going forward. It cannot be set to a negative integer. Any new password you create and any existing password you change must meet the new requirements after you set this flag. 0
MINPASSWORDUPPERCASELEN When you set a password using the SPLUNKPASSWORD flag, you can also set password eligibility requirements for password creation and modification. The MINPASSWORDUPPERCASELEN flag specifies the minimum number of uppercase ('A' through 'Z') characters that a password must contain to meet these eligibility requirements going forward. It cannot be set to a negative integer. Any new password you create and any existing password you change must meet the new requirements after you set this flag. 0
MINPASSWORDSPECIALCHARLEN=<integer> When you set a password using the SPLUNKPASSWORD flag, you can also set password eligibility requirements for password creation and modification. The MINPASSWORDSPECIALCHARLEN flag specifies the minimum number of special characters that a password must contain to meet these eligibility requirements going forward. It cannot be set to a negative integer. The ':' (colon) character cannot be used as a special character. Any new password you create and any existing password you change must meet the new requirements after you set this flag. 0
GENRANDOMPASSWORD Generate a random password for the admin user and write the password to the installation log file. The installer writes the credentials to %TEMP%\splunk.log. After the installation completes, you can use the findstr utility to search that file for the word "PASSWORD". After you get the credentials, delete the installation log file, as retaining the file represents a significant security risk. 1
USE_LOCAL_SYSTEM Install the universal forwarder as a local system 0
PRIVILEGEBACKUP Grant the Windows privilege SeBackupPrivilege to allow file monitor inputs to read(not write) any files. 1
PRIVILEGESECURITY Grant the Windows privilege SeSecurityPrivilege to allow WinEventLog inputs to collect security event logs. 1
PRIVILEGEIMPERSONATE Grant the Windows privilege SeImpersonatePrivilege to allow customers grant more permissions for UF by manually adding UF user to other local user/security groups.


Without this SeImpersonatePrivilege privilege, you might not be able to grant more permissions by adding the Splunk forwarder user to any Windows group. This includes the Windows builtin group Performance Monitor Users (as mentioned in the next row) to enable WMI & perfmon inputs.

1
GROUPPERFORMANCEMONITORUSERS Add universal forwarder user to Windows Performance Monitor Users to allow WMI and perfmon inputs to collect data. 1

Troubleshooting

By default, the universal forwarder uses a local system account on the domain controller and as of 9.1, the default user is the least privileged user. Since the universal forwarder user is not added to the local admin group by default, you might experience permission issues, particularly if you have installed any custom add-ons that require additional permissions. You can manually grant the additional permissions by adding the universal forwarder user to user groups:

Last modified on 31 October, 2024
Deploy the universal forwarder   Install a *nix universal forwarder

This documentation applies to the following versions of Splunk® Universal Forwarder: 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters