Splunk® Universal Forwarder

Forwarder Manual

Enable a receiver for the Splunk Cloud Platform

A receiver is a Splunk component that you configure to listen on a specific network port for incoming data from a forwarder. This can include indexers, another forwarder, or Edge Processors.

A Splunk Cloud Platform receiving port is configured and enabled by default. You need to install and configure the Splunk Cloud Platform universal forwarder credentials package on your forwarders to access it. You can install the forwarder credentials on individual forwarders, or install the forwarder credentials on many forwarders using a deployment server. See the following options:

Alternatively, for enhanced data processing before routing the data to Splunk Cloud indexers, you can use the Edge Processor as a receiver for Splunk Cloud Platform. See About the Edge Processor Solution for more information.

Install the forwarder credentials on individual forwarders in *nix

  1. From your Splunk Cloud Platform instance, go to Apps > Universal Forwarder.
  2. Click Download Universal Forwarder Credentials.
  3. Note the location where the credentials package splunkclouduf.spl has been downloaded.
  4. Copy the file to a temporary directory, this is usually your "/tmp" folder.
  5. Install the splunkclouduf.spl app by entering the following in command line: $SPLUNK_HOME/bin/splunk install app /tmp/splunkclouduf.spl.
  6. When you are prompted for a user name and password, enter the user name and password for the Universal Forwarder. The following message displays if the installation is successful: App '/tmp/splunkclouduf.spl' installed.
  7. Restart the forwarder to enable the changes by entering the following command: ./splunk restart.

Install the forwarder credentials on many forwarders using a deployment server in *nix

  1. From your Splunk Cloud Platform instance, go to Apps > Universal Forwarder.
  2. Click Download Universal Forwarder Credentials.
  3. Note the location where the credentials file was downloaded. The credentials file is named splunkclouduf.spl.
  4. Copy the file to your system's temporary (/tmp) folder.
  5. (optional) Use file management tools to move the splunkclouduf.spl file to the $SPLUNK_HOME/etc/deployment-apps/ directory on the deployment server.
  6. In a shell or command prompt, unpack the credentials package by running the following command:
    tar xvf splunkclouduf.spl
    .
  7. Navigate to the /bin subdirectory of the deployment server.
  8. Install the credentials package by running the following command:
    splunk install app <'full path to splunkclouduf.spl'> -auth <username>:<password>
    where <"full path to splunkclouduf.spl"> is the path to the directory where the splunkclouduf.spl file is located and <username>:<password> are the username and password of an existing admin account on the deployment server.
  9. Restart the deployment server by running the following command:
    /splunk restart
    .

Install the forwarder credentials on individual forwarders in Windows

  1. From your Splunk Cloud Platform instance, go to Apps > Universal Forwarder.
  2. Click Download Universal Forwarder Credentials.
  3. Note the location where the credentials file was downloaded. The credentials file is named %HOMEPATH%\Downloads.
  4. Copy the file to your system's temporary (\tmp) folder.
  5. Install the splunkclouduf.spl app by entering the following command: %SPLUNK_HOME%\bin\splunk.exe install app %HOMEPATH%\Downloads\splunkclouduf.spl.
  6. When you are prompted for a username and password, enter the username and password for the Universal Forwarder. The following message displays if the installation is successful: App %HOMEPATH%\Downloads\splunkclouduf.spl installed.
  7. Restart the forwarder to enable the changes by entering the following command. .\splunk.exe restart.

Install the forwarder credentials on many forwarders using a deployment server in Windows

  1. From your Splunk Cloud Platform instance, go to Apps > Universal Forwarder.
  2. Click Download Universal Forwarder Credentials.
  3. Note the location where the credentials file splunkclouduf.spl was downloaded.
  4. Copy the file to your system's temporary (\tmp) folder.
  5. (optional) Use file management tools to move the splunkclouduf.spl file to the $SPLUNK_HOME\etc\deployment-apps\ directory on the deployment server.
  6. In a shell or command prompt, unpack the credentials package by running the following command:
    tar xvf splunkclouduf.spl
    .
  7. Navigate to the \bin subdirectory of the deployment server.
  8. Install the credentials package by running the following command:
    splunk install app <"full path to splunkclouduf.spl"> -auth <username>:<password>
    where <"full path to splunkclouduf.spl"> is the path to the directory where the splunkclouduf.spl file is located and <username>:<password> are the username and password of an existing admin account on the deployment server.
  9. Restart the deployment server by running the following command:
    \splunk restart
  10. .

Renew certificates in the Splunk Cloud Universal Forwarder credentials package

In versions 9.3.0 and higher of universal and heavy forwarders that connect to Splunk Cloud Platform versions 9.2.2406 and higher, the TLS certificates that come with the Splunk Cloud Universal Forwarder credentials package can be renewed automatically after a certain period of time. You can also renew the certificates manually at your leisure.

Prerequisites for using automatic TLS certificate renewal on forwarders to Splunk Cloud Platform

To use automatic renewal of TLS certificates on forwarders that send data to Splunk Cloud Platform, you must have all of the following. Forwarder certificate rotation does not work in configurations other than the ones that appear here:

  • Your Splunk Cloud Platform environment must be hosted in a commercial Amazon Web Services (AWS) environment.
  • Currently, the environment can be hosted in any AWS region except for the following: ap-northeast-2, ap-south-1, eu-north-1, eu-south-1, me-central-1, or sa-east-1
  • The environment must run Splunk Cloud Platform version 9.2.2406 or higher.
  • Forwarders that you connect to the environment must run version 9.3.0 or higher.
  • You must configure at least one forwarding output group or channel on the forwarder to send data to Splunk Cloud Platform. There is no support for using automatic certificate rotation on forwarders that only send data to Splunk Enterprise.
  • You can use automatic certificate rotation with universal or heavy forwarders, but you must connect the forwarders directly to your Splunk Cloud Platform instance. There is no support for using automatic certificate rotation when you connect forwarding output channels to either intermediate forwarders or Edge Processor.

How automatic TLS certificate renewal on forwarders to Splunk Cloud Platform works

The autoCertRotation setting in the outputs.conf configuration file controls whether or not a universal or heavy forwarder automatically renews TLS certificates that have been installed through the Splunk Cloud Platform Universal Forwarder Credentials package.

A value of "true" for the setting means that the forwarder attempts to renew the certificates inside the credentials package, up to and including their expiration time. A value of "false" means that the forwarder does not attempt to renew certificates in the credentials package. By default, automatic certificate rotation does not occur.

A forwarder certificate becomes eligible for renewal when:

  • It has been configured for the forwarder to use it, and
  • It is within its validity window, which means the current date must be between its 'Not Before' and 'Not After' dates, inclusive, and
  • Less than or equal to 50% of its validity period remains. For example, a certificate with a validity period of 52 weeks is eligible for renewal after 26 weeks from its start of validity.

When a certificate on a forwarder enters its renewal eligibility period, the forwarder contacts the Splunk Cloud Platform instance to retrieve an updated certificate. If it is successful, it downloads the certificate and installs it immediately. There is no need to restart or reload the forwarder configuration.

Configure automatic TLS certificate renewal on forwarders to Splunk Cloud Platform

To configure automatic TLS certificate rotation on the forwarder, follow this procedure:

  1. On the forwarder, open the $SPLUNK_HOME/etc/system/local/outputs.conf file for editing.
  2. In the tcpout stanza(s) which represent the forwarding output group(s) that forward data to Splunk Cloud Platform, add the following line to the configuration file:
    [tcpout:<splunkcloud>]
    autoCertRotation = true
  3. Save the file and close it.
  4. Restart the forwarder or reload its configuration. The change takes effect immediately.

While it is possible to define automatic certificate rotation at any tcpout stanza level, there is no support for doing so at the global [tcpout] level when the forwarder sends data to multiple receivers. Additionally, there is no support for doing so for multiple [tcpout] output groups.

If the forwarder sends data to both a Splunk Enterprise and a Splunk Cloud Platform instance, add the configuration to the tcpout stanza that represents the connection to your Splunk Cloud Platform instance only.

If the forwarder connects to multiple Splunk Cloud Platform instances, add the setting to only one of the tcpout stanzas that forwards data to Splunk Cloud Platform.

There is no support for configuring automatic certificate rotation for multiple Splunk Cloud Platform environments from a single forwarder.

Manually renew TLS certificates on forwarders to Splunk Cloud Platform

You can always manually renew TLS certificates on a universal or heavy forwarder that sends data to Splunk Cloud Platform. To do this, follow this procedure:

  1. Download the latest version fo the unviersal forwarder credentials package from the Splunk website.
  2. Install the updated universal forwarder credentials package using the instructions that appear earlier in this topic.
  3. As the last step, rather than restarting the instance, reload the configuration by running the following command:
curl -i -u <username>:<password> https://<url of forwarder>:8089/services/data/outputs/tcp/default/_reload

If you want to reload the configuration without restarting on Windows machines, you must download and install the Windows version of the curl web transfer tool from the curl website. You can then follow the steps in this procedure.

Last modified on 25 September, 2024
Enable a receiver for Splunk Enterprise   Configure the universal forwarder using configuration files

This documentation applies to the following versions of Splunk® Universal Forwarder: 9.3.0, 9.3.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters