Deploy a Windows universal forwarder via the installer GUI
This topic describes how to manually install, configure, and deploy the universal forwarder in a Windows environment using the installer GUI. It assumes that you're installing directly onto the Windows machine, rather than using a deployment tool. This type of scenario best suits these needs:
- small deployments
- proof-of-concept test deployments
- system image or virtual machine for eventual cloning
If you are interested in a different deployment scenario or a different operating system, look for another topic in this section that better fits your needs.
This topic describes how to install the universal forwarder with the installer GUI. You can also install from the commandline, using
msiexec. See "Deploy a Windows universal forwarder via the commandline" for more information.
Important: If you do not want the universal forwarder to start immediately after installation, you must use the commandline interface.
Before following the procedures in this topic, read "Deployment overview".
Steps to deployment
Once you have downloaded the universal forwarder and have planned your deployment, as described in "Deployment overview", perform these steps:
1. Install the universal forwarder (with optional migration and configuration).
2. Test and tune the deployment.
3. Perform any post-installation configuration.
4. Deploy the universal forwarder across your environment.
Install the universal forwarder
The Windows installer guides you through the process of installing and configuring your universal forwarder. It also offers you the option of migrating your checkpoint settings from an existing Splunk forwarder.
To install the universal forwarder, double-click the appropriate MSI file:
splunkuniversalforwarder-<...>-x86-release.msi(for 32-bit platforms)
splunkuniversalforwarder-<...>-x64-release.msi(for 64-bit platforms)
The value of
<...> varies according to the particular release; for example,
Important: Running the 32-bit version of the universal forwarder on a 64-bit platform is not recommended. If you can run 64-bit universal forwarder on 64-bit hardware, we strongly recommend it. The performance is greatly improved over the 32-bit version.
A series of dialogs guide you through the installation. When you're through with a dialog, click Next to move to the next in the series. Here are the dialogs, in order:
1. "Welcome" dialog
To begin the installation, click Next.
2. "License Agreement" dialog
Read the license agreement and select "I accept the terms in the license agreement".
3. "Destination Folder" dialog
The universal forwarder is installed by default into the directory
Click Change... to specify a different installation directory.
Important: Do not install the universal forwarder over an existing installation of full Splunk. This is particuarly vital if you will be migrating from a light forwarder as described in "Migrate a Windows light forwarder". The default install directory for full Splunk is
C:\Program Files\Splunk, so, if you stick with the defaults, you're safe.
4. "Migration" pop-up
If the installer detects an existing version of Splunk, it will ask you whether you want to migrate the existing Splunk's data checkpoint settings to the universal forwarder. If you click Yes, it will automatically perform the migration.
Important: This is the only time when you can migrate old settings to this universal forwarder. You cannot perform the migration post-installation.
See "Migrate a Windows forwarder" for more information on what migration does.
5. "Deployment Server" dialog
Enter the hostname or IP address and management port for your deployment server. The default management port is 8089.
Note: This step is optional, but if you skip it, you must enter a receiving indexer in step 6; otherwise, the universal forwarder will not be able function, as it will not have any way of determining which indexer to forward to.
6. "Receiving Indexer" dialog
Note: This step is optional, but if you skip it, you must enter a deployment server in step 5; otherwise, the universal forwarder will not be able function, as it will not have any way of determining which indexer to forward to.
7. "Certificate Information" dialog
Select an SSL certificate for verifying the identity of this machine (optional).
Depending on your certificate requirements, you may need to specify a password and a Root CA certificate to verify the identity of the certificate. If not, these fields can be left blank.
Note: This dialog will only appear if you previously specified a receiving indexer (step 6).
8. "Where do you want to get data from?" dialogs
This step in the installer requires one or two dialogs, depending on whether the universal forwarder will be collecting local data exclusively.
In the first dialog, you specify the user context: whether you want the universal forwarder to collect only local data or also remote Windows data. The installer uses this information to determine the permissions the universal forwarder needs.
Note: If you select Local data only, the universal forwarder will install as the local system user, and network resources will not be available to it. This is recommended for improved security, unless this universal forwarder will be collecting event logs or metrics from remote machines. For more help in determining what to select here, see "Choose the user the universal forwarder should run as".
Once you've made your choice, click Next.
If you specified Local data only, the installer skips the second screen and takes directly to the "Enable Windows Inputs" dialog (step 8).
If you specified Remote Windows data, the installer now takes you to a second dialog, where you need to enter domain and user information for this instance of the universal forwarder. The universal forwarder will run as the user you specify in this dialog.
The user you specify here must have permissions to:
- Run as a service.
- Read whatever files you are configuring it to monitor.
- Collect event logs or performance metrics via WMI. This is a highly privileged action; see "Monitor WMI data" for more information.
- Write to the universal forwarder's directory.
9. "Enable Windows Inputs" dialog
Select one or more Windows inputs from the list.
This step is optional. You can enable inputs later, by editing
10. "Ready to Install the Program" dialog
Click Install to proceed.
The installer runs and displays the Installation Completed dialog.
Once the installation is complete, the universal forwarder automatically starts.
SplunkForwarder is the name of the universal forwarder service. You should confirm that it is running.
Test the deployment
Test your configured universal forwarder on a single machine, to make sure it functions correctly, before deploying the universal forwarder across your environment. Confirm that the universal forwarder is getting the desired inputs and sending the right outputs to the indexer. You can use the deployment monitor app to validate the universal forwarder.
If you migrated from an existing forwarder, make sure that the universal forwarder is forwarding data from where the old forwarder left off. If it isn't, you probably need to modify or add data inputs, so that they conform to those on the old forwarder.
Important: Migration does not automatically copy any configuration files; you must set those up yourself. The usual way to do this is to copy the files, including
inputs.conf, from the old forwarder to the universal forwarder. Compare the
inputs.conf files on the universal forwarder and the old forwarder to ensure that the universal forwarder has all the inputs that you want to maintain.
If you migrated from an existing forwarder, you can delete that old instance once your universal forwarder has been thoroughly tested and you're comfortable with the results.
Perform additional configuration
You can update your universal forwarder's configuration, post-installation, by directly editing its configuration files, such as
outputs.conf. You can also update the configuration using the CLI. See "Deployment overview" for information.
Note: When you use the CLI, you might need to authenticate into the Splunk forwarder to complete commands. The default credentials for a universal forwarder are:
For information on distributing configuration changes across multiple universal forwarders, see "About deployment server".
Deploy the universal forwarder across your environment
If you need just a few universal forwarders, you might find it simpler just to repeat the manual installation process, as documented in this topic. If you need to install a larger number of universal forwarders, it will probably be easier to deploy them remotely with a deployment tool or else as part of a system image or virtual machine.
Uninstall the universal forwarder
To uninstall the universal forwarder, perform the following steps:
1. Use the Services MMC snap-in (Start > Administrative Tools > Services) to stop the
Note: You can also stop the service from the command line with the following command:
NET STOP SplunkForwarder
2. Next, use the Add or Remove Programs control panel to uninstall the forwarder. On Windows 7 and Windows Server 2008, that option is available under Programs and Features.
Note: Under some circumstances, the Microsoft installer might present a reboot prompt during the uninstall process. You can safely ignore this request without rebooting.
Universal forwarder deployment overview
Deploy a Windows universal forwarder via the commandline
This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1