Deploy a Windows universal forwarder via the installer GUI
This topic describes how to manually install, configure, and deploy the universal forwarder in a Windows environment using the installer GUI. It assumes that you're installing directly onto the Windows machine, rather than using a deployment tool. This method of installation best suits these needs:
- small deployments
- proof-of-concept test deployments
- system image or virtual machine for eventual cloning
If you are interested in a different deployment method or a different operating system, look for another topic in this section that better fits your needs.
You can also install the universal forwarder from the command line, using
msiexec. The command-line deployment provides more configuration options, for data inputs and other settings. See "Deploy a Windows universal forwarder via the command line" for more information.
Important: If you do not want the universal forwarder to start immediately after installation, you must install via the command line.
Before following the procedures in this topic, read "Universal forwarder deployment overview" to further understand the mechanics of a distributed Splunk Enterprise deployment.
Steps to deployment
Once you have downloaded the universal forwarder and planned your deployment, perform these steps:
1. Install the universal forwarder (with optional migration and configuration).
Before you install
Choose the account that the universal forwarder should use
When you install the universal forwarder, you can select where the forwarder will get its data. You have two choices:
- Local System
- Domain account
If you tell the installer to install as the Local System user, the universal forwarder can collect any kind of data that is available on the local machine. It cannot, however, collect data from other machines.
You must install the forwarder as a Domain user if you intend to do any of the following:
- Read Event Logs remotely
- Collect performance counters remotely
- Read network shares for log files
- Enumerate the Active Directory schema, using Active Directory monitoring
If you install as a domain user, you must then specify a user which has access to the data you want to monitor. Read "Choose the Windows user Splunk should run as" in the Installation Manual for concepts and procedures on the user requirements that must be in place before you collect remote Windows data.
If you install as a domain user, you can choose whether or not the user has administrative privileges on the local machine. If you choose not to give the user administrative privileges, the universal forwarder enables "low-privilege" mode. Read the installation instructions later in this topic for additional information on how to enable low-privilege mode.
Important: You should choose - and configure - the user that Splunk will run as before attempting to install a universal forwarder for remote Windows data collection.
Configure your Windows environment for remote data collection
If you do not need to install the universal forwarder to collect remote Windows data, you can continue to the installation instructions below.
If your monitoring needs require you to install the universal forwarder to collect remote Windows data, then you must configure your Windows environment for the proper installation of the forwarder.
1. Create and configure security groups with the user you want the universal forwarder to run as.
2. Optionally, configure the universal forwarder account as a managed service account.
3. Create and configure Group Policy objects for security policy and user rights assignment.
4. Assign appropriate user rights to the GPO.
5. Deploy the GPO(s) with the updated settings to the appropriate objects.
Note: These steps are high-level procedures only. For step-by-step instructions, read "Prepare your Windows network for a Splunk Enterprise installation as a network or domain user" in the Installation Manual. Depending on whether or not you install the forwarder in low-privilege mode, one or more steps might not be necessary.
Install the universal forwarder
The Windows installer guides you through the process of installing and configuring your universal forwarder. It also offers you the option of migrating your checkpoint settings from an existing forwarder.
1. Download the universal forwarder from splunk.com.
2. To install the universal forwarder, double-click the appropriate MSI file:
splunkuniversalforwarder-<...>-x86-release.msi(for 32-bit platforms)
splunkuniversalforwarder-<...>-x64-release.msi(for 64-bit platforms)
The value of
<...> varies according to the particular release; for example,
Caution: You can no longer install or run the 32-bit version of the Splunk universal forwarder for Windows on a 64-bit Windows system. You also cannot install the universal forwarder on a machine that runs an unsupported OS. See "System requirements."
If you attempt to run the installer in such a way, it warns you and prevents the installation.
A series of dialogs guides you through the installation. When you're through with a dialog, click Next to move to the next in the series. Here are the dialogs, in order:
1. "Universal forwarder setup" dialog
To continue the installation, check the "Check this box to accept the License Agreement" checkbox. To view the license agreement, click the "View License Agreement" button.
New for version 6.2 of the universal forwarder, the Windows installer gives you two choices: Install with the default installation settings, or configure all settings prior to installing.
The installer does the following by default:
- Installs the universal forwarder in
\Program Files\SplunkUniversalForwarderon the system drive (the drive that booted your Windows system.)
- Installs the universal forwarder with the default management port.
- Configures the universal forwarder to run as the Local System user. Read "Choose the user Splunk Enterprise should run as" in this manual to understand the ramifications.
- Installs the Splunk Add-on for Windows into the universal forwarder apps directory.
- Enables the Application, System, and Security Windows Event Log inputs within the installed add-on.
2a. If you want to change any of these default installation settings, click the "Customize Options" button and proceed with the instructions in "Customize Options" in this topic.
2b. Otherwise, click the "Install" button to install the software with the defaults. Then, continue with Step 8.
On each panel, click Next to continue, Back to go back a step, or Cancel to cancel the installation and quit the installer.
3. "Destination Folder" dialog
The installer puts the universal forwarder into the
C:\Program Files\SplunkUniversalForwarder directory by default.
Click Change... to specify a different installation directory.
Caution: Do not install the universal forwarder over an existing installation of full Splunk Enterprise.The default installation directory for full Splunk Enterprise is
C:\Program Files\Splunk, so, if you stick with the defaults, you're safe.
4. "Certificate Information" dialog
Select an SSL certificate for verifying the identity of this machine. This step is optional. Skip this step if using Splunk Cloud.
Depending on your certificate requirements, you might need to specify a password and a Root Certificate Authority (CA) certificate to verify the identity of the certificate. If not, these fields can be left blank.
5. "User selection" dialogs
This step in the installer requires one or two dialogs, depending on the user type you choose.
In the first dialog, specify whether you want the universal forwarder to run as the Local System user or a domain user. The installer uses this information to determine the permissions the universal forwarder needs.
If you select Local System, the universal forwarder installs as the Local System user. This is recommended for improved security, unless you want this universal forwarder to collect event logs or metrics from remote machines.
For more help in determining what to select here, see "Before you install" earlier in this topic.
After you make your choice, click Next.
If you specify Local System, the installer skips the second screen and takes you directly to the "Enable Windows Inputs" dialog.
If you specify Domain account, the installer takes you to a second dialog, where you need to enter domain and user information for this instance of the universal forwarder. The universal forwarder will run as the user you specify in this dialog.
Important: You must specify the user name in
domain\username format. Failure to include the domain name when specifying the user will cause the installation to fail.
On the second dialog, at the bottom, there is a checkbox labeled "Add user as local administrator". When the checkbox is checked (the default), the installer adds the domain user you specified to the local Administrators group. When the checkbox is not checked, the universal forwarder installs in "low-privilege" mode. This mode is available for customers that cannot or do not want to run programs as an administrator on servers. Read "Run the universal forwarder in low-privilege mode" later in this topic for additional information and caveats.
To enable a normal installation as a user with local administrative privileges, leave the box checked.
Important: In many cases, the user you specify must have specific rights assigned to it prior to completing the installation. Failure to do so might result in a failed installation. Read "Before you install" earlier in this topic for specific information and links to step-by-step instructions.
Note: This dialog only appears if you previously specified a receiving indexer (in the previous step).
6a. "Enable Windows Inputs" dialog
Select one or more Windows inputs from the list.
This step is optional. You can enable inputs later, by editing
inputs.conf within the universal forwarder directory.
Note: Read "Considerations for enabling data inputs in the installer" later in this topic about what happens when you enable inputs in this dialog.
6b. "Splunk Add-on for Windows" dialog
If you select any of the Windows inputs that the installer dialog shows you, the installer brings up the "Choose the Splunk Add-on for Windows" dialog.
In this dialog:
- Choose "Install the Splunk Add-on for Microsoft Windows included with this installer" if you do not already have a copy of the Splunk Add-on for Windows installed on the local machine. Or,
- Choose "Install an existing local copy of the Splunk Add-on for Microsoft Windows" if you have a local copy of the add-on installed on the machine, or if you have downloaded a more recent version from Splunkbase.
If you chose "Install an existing copy" above, locate the installed copy on your system by clicking the Browse button.
Once you have completed your selection, click Next.
Note: This dialog only appears if you previously selected an input in the input selection page.
7. "Specify a Deployment Server" dialog
Enter the hostname or IP address and management port for your deployment server. The default management port is 8089. Skip this step if using Splunk Cloud, unless you have an on-premises Deployment Server.
Note: This step is optional, but if you skip it, you should enter a receiving indexer in step 6; otherwise, the universal forwarder does not do anything, as it does not have any way of determining which indexer to forward data to. You can configure the forwarder with configuration files later.
8. "Specify Receiving Indexer" dialog
Note: This step is optional, but if you skip it, you should enter a deployment server in step 5; otherwise, the universal forwarder does not do anything, as it does not have any way of determining which indexer to forward to. A popup message appears which notes this. You can configure the forwarder with configuration files later.
9. "Ready to Install the Program" dialog
Click Install to proceed.
The installer runs and displays the Installation Completed dialog.
Once the installation is complete, the universal forwarder automatically starts.
SplunkForwarder is the name of the universal forwarder service. You should confirm that it is running.
Considerations for enabling data inputs in the installer
If you enable data inputs in the "Enable Inputs" dialog box when installing the universal forwarder, the installer saves the configuration that enables those inputs into the Splunk Add-on for Windows that comes with the installer. This configuration includes index definitions.
This means that the indexer that this forwarder sends data to must already have those indexes defined. The indexes are:
perfmonfor Performance Monitoring inputs.
windowsfor generic Windows inputs.
wineventlogfor Windows Event Log inputs.
By default, indexers do not have these indexes defined. To address that, either define the indexes before performing a universal forwarder installation, or install the Splunk Add-on for Windows onto the indexer. This is a Splunk best practice.
Install the universal forwarder in "low-privilege" mode
When you specify a domain user and choose not to give that user local administrator rights, the forwarder installs and runs in "low-privilege" mode.
There are some caveats to doing so:
- You do not have administrative access to any resources on either the server or the domain when you run the universal forwarder in low-privilege mode.
- You might need to add the domain user to additional domain groups in order to access remote resources. Additionally, you might need to add the user to local groups to access local resources that only privileged users would have access to.
- You cannot collect Windows Management Instrumentation (WMI) data as a non-admin user.
To enable "low privilege" mode, uncheck the "Add user as local administrator" checkbox on the user selection dialog pane during the installation process.
Test the deployment
Test your configured universal forwarder on a single machine, to make sure it functions correctly, before deploying the universal forwarder across your environment. Confirm that the universal forwarder is getting the desired inputs and sending the right outputs to the indexer.
If you migrated from an existing forwarder, make sure that the universal forwarder is forwarding data from where the old forwarder left off. If it isn't, you need to modify or add data inputs, so that they conform to those on the old forwarder.
Important: Migration does not automatically copy any configuration files. You must set those up yourself. The usual way to do this is to copy the files, including
inputs.conf, from the old forwarder to the universal forwarder. Compare the
inputs.conf files on the universal forwarder and the old forwarder to ensure that the universal forwarder has all the inputs that you want to maintain.
If you migrated from an existing forwarder, you can delete that old instance once your universal forwarder has been thoroughly tested and you're comfortable with the results.
Perform additional configuration
You can update your universal forwarder's configuration, post-installation, by directly editing its configuration files, such as
outputs.conf. You can also update the configuration using the CLI. See "Configure the universal forwarder" for information.
Note: When you use the CLI, you might need to authenticate into the forwarder to complete commands. The default credentials for a universal forwarder are:
For information on distributing configuration changes across multiple universal forwarders, see "About deployment server" in the Updating Splunk Enterprise Instances manual.
Deploy the universal forwarder across your environment
If you need just a few universal forwarders, you might find it simpler just to repeat the manual installation process, as documented in this topic. If you need to install a larger number of universal forwarders, it will probably be easier to deploy them remotely with a deployment tool or else as part of a system image or virtual machine.
Uninstall the universal forwarder
To uninstall the universal forwarder, perform the following steps:
1. Use the Services MMC snap-in (Start > Administrative Tools > Services) to stop the
Note: You can also stop the service from the command line with the following command:
NET STOP SplunkForwarder
2. Next, use the Add or Remove Programs control panel to uninstall the forwarder. On Windows 7, 8, Server 2008, and Server 2012, that option is available under Programs and Features.
Note: Under some circumstances, the Microsoft installer might present a reboot prompt during the uninstall process. You can safely ignore this request without rebooting.
Migrate from a light forwarder
Deploy a Windows universal forwarder via the command line
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0