Splunk® Enterprise

Forwarding Data

Acrobat logo Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

Deploy a Windows universal forwarder via the installer GUI

This topic describes how to manually install, configure, and deploy the universal forwarder in a Windows environment using the installer GUI. It assumes that you're installing directly onto the Windows machine, rather than using a deployment tool. This method of installation best suits these needs:

  • small deployments
  • proof-of-concept test deployments
  • system image or virtual machine for eventual cloning

If you are interested in a different deployment method or a different operating system, look for another topic in this section that better fits your needs.

You can also install the universal forwarder from the command line, using msiexec. The command-line deployment provides more configuration options, for data inputs and other settings. See "Deploy a Windows universal forwarder via the command line" for more information.

Important: If you do not want the universal forwarder to start immediately after installation, you must install via the command line.

Before following the procedures in this topic, read "Universal forwarder deployment overview" to further understand the mechanics of a distributed Splunk Enterprise deployment.

Steps to deployment

Once you have downloaded the universal forwarder and planned your deployment, perform these steps:

1. Install the universal forwarder (with optional migration and configuration).

2. Test the deployment.

3. Perform additional configuration.

4. Deploy the universal forwarder across your environment.

Before you install

Choose the account that the universal forwarder should use

When you install the universal forwarder, you can select where the forwarder will get its data. You have two choices:

  • Local System
  • Domain account

If you tell the installer to install as the Local System user, the universal forwarder can collect any kind of data that is available on the local machine. It cannot, however, collect data from other machines.

You must install the forwarder as a Domain user if you intend to do any of the following:

  • Read Event Logs remotely
  • Collect performance counters remotely
  • Read network shares for log files
  • Enumerate the Active Directory schema, using Active Directory monitoring

If you install as a domain user, you must then specify a user which has access to the data you want to monitor. Read "Choose the Windows user Splunk should run as" in the Installation Manual for concepts and procedures on the user requirements that must be in place before you collect remote Windows data.

If you install as a domain user, you can choose whether or not the user has administrative privileges on the local machine. If you choose not to give the user administrative privileges, the universal forwarder enables "low-privilege" mode. Read the installation instructions later in this topic for additional information on how to enable low-privilege mode.

Important: You should choose - and configure - the user that Splunk will run as before attempting to install a universal forwarder for remote Windows data collection.

Configure your Windows environment for remote data collection

If you do not need to install the universal forwarder to collect remote Windows data, you can continue to the installation instructions below.

If your monitoring needs require you to install the universal forwarder to collect remote Windows data, then you must configure your Windows environment for the proper installation of the forwarder.

1. Create and configure security groups with the user you want the universal forwarder to run as.

2. Optionally, configure the universal forwarder account as a managed service account.

3. Create and configure Group Policy objects for security policy and user rights assignment.

4. Assign appropriate user rights to the GPO.

5. Deploy the GPO(s) with the updated settings to the appropriate objects.

Note: These steps are high-level procedures only. For step-by-step instructions, read "Prepare your Windows network for a Splunk Enterprise installation as a network or domain user" in the Installation Manual. Depending on whether or not you install the forwarder in low-privilege mode, one or more steps might not be necessary.

Install the universal forwarder

The Windows installer guides you through the process of installing and configuring your universal forwarder. It also offers you the option of migrating your checkpoint settings from an existing forwarder.

1. Download the universal forwarder from splunk.com.

2. To install the universal forwarder, double-click the appropriate MSI file:

  • splunkuniversalforwarder-<...>-x86-release.msi (for 32-bit platforms)
  • splunkuniversalforwarder-<...>-x64-release.msi (for 64-bit platforms)

The value of <...> varies according to the particular release; for example, splunkuniversalforwarder-4.2-86454-x64-release.msi.

Caution: You can no longer install or run the 32-bit version of the Splunk universal forwarder for Windows on a 64-bit Windows system. You also cannot install the universal forwarder on a machine that runs an unsupported OS. See "System requirements."

If you attempt to run the installer in such a way, it warns you and prevents the installation.

A series of dialogs guides you through the installation. When you're through with a dialog, click Next to move to the next in the series. Here are the dialogs, in order:

1. "Universal forwarder setup" dialog

62 UFInstaller.png

To continue the installation, check the "Check this box to accept the License Agreement" checkbox. To view the license agreement, click the "View License Agreement" button.

Installation Options

New for version 6.2 of the universal forwarder, the Windows installer gives you two choices: Install with the default installation settings, or configure all settings prior to installing.

The installer does the following by default:

  • Installs the universal forwarder in \Program Files\SplunkUniversalForwarder on the system drive (the drive that booted your Windows system.)
  • Installs the universal forwarder with the default management port.
  • Configures the universal forwarder to run as the Local System user. Read "Choose the user Splunk Enterprise should run as" in this manual to understand the ramifications.
  • Installs the Splunk Add-on for Windows into the universal forwarder apps directory.
  • Enables the Application, System, and Security Windows Event Log inputs within the installed add-on.

2a. If you want to change any of these default installation settings, click the "Customize Options" button and proceed with the instructions in "Customize Options" in this topic.

2b. Otherwise, click the "Install" button to install the software with the defaults. Then, continue with Step 8.

Customize Options

On each panel, click Next to continue, Back to go back a step, or Cancel to cancel the installation and quit the installer.

3. "Destination Folder" dialog

62 UFInstaller Location.png

The installer puts the universal forwarder into the C:\Program Files\SplunkUniversalForwarder directory by default.

Click Change... to specify a different installation directory.

Caution: Do not install the universal forwarder over an existing installation of full Splunk Enterprise.The default installation directory for full Splunk Enterprise is C:\Program Files\Splunk, so, if you stick with the defaults, you're safe.

4. "Certificate Information" dialog

62 UFInstaller Certificate.png

Select an SSL certificate for verifying the identity of this machine. This step is optional. Skip this step if using Splunk Cloud.

Depending on your certificate requirements, you might need to specify a password and a Root Certificate Authority (CA) certificate to verify the identity of the certificate. If not, these fields can be left blank.

5. "User selection" dialogs

62 UFInstaller ChooseUser.png

This step in the installer requires one or two dialogs, depending on the user type you choose.

In the first dialog, specify whether you want the universal forwarder to run as the Local System user or a domain user. The installer uses this information to determine the permissions the universal forwarder needs.

If you select Local System, the universal forwarder installs as the Local System user. This is recommended for improved security, unless you want this universal forwarder to collect event logs or metrics from remote machines.

For more help in determining what to select here, see "Before you install" earlier in this topic.

After you make your choice, click Next.

If you specify Local System, the installer skips the second screen and takes you directly to the "Enable Windows Inputs" dialog.

If you specify Domain account, the installer takes you to a second dialog, where you need to enter domain and user information for this instance of the universal forwarder. The universal forwarder will run as the user you specify in this dialog.

62 UFInstaller Entercreds.png

Important: You must specify the user name in domain\username format. Failure to include the domain name when specifying the user will cause the installation to fail.

On the second dialog, at the bottom, there is a checkbox labeled "Add user as local administrator". When the checkbox is checked (the default), the installer adds the domain user you specified to the local Administrators group. When the checkbox is not checked, the universal forwarder installs in "low-privilege" mode. This mode is available for customers that cannot or do not want to run programs as an administrator on servers. Read "Run the universal forwarder in low-privilege mode" later in this topic for additional information and caveats.

To enable a normal installation as a user with local administrative privileges, leave the box checked.

Important: In many cases, the user you specify must have specific rights assigned to it prior to completing the installation. Failure to do so might result in a failed installation. Read "Before you install" earlier in this topic for specific information and links to step-by-step instructions.

Note: This dialog only appears if you previously specified a receiving indexer (in the previous step).

6a. "Enable Windows Inputs" dialog

62 UFInstaller EnableInputs.png

Select one or more Windows inputs from the list.

This step is optional. You can enable inputs later, by editing inputs.conf within the universal forwarder directory.

Note: Read "Considerations for enabling data inputs in the installer" later in this topic about what happens when you enable inputs in this dialog.

6b. "Splunk Add-on for Windows" dialog

62 UFInstaller Splunk TA Windows.png

If you select any of the Windows inputs that the installer dialog shows you, the installer brings up the "Choose the Splunk Add-on for Windows" dialog.

In this dialog:

  • Choose "Install the Splunk Add-on for Microsoft Windows included with this installer" if you do not already have a copy of the Splunk Add-on for Windows installed on the local machine. Or,
  • Choose "Install an existing local copy of the Splunk Add-on for Microsoft Windows" if you have a local copy of the add-on installed on the machine, or if you have downloaded a more recent version from Splunkbase.

If you chose "Install an existing copy" above, locate the installed copy on your system by clicking the Browse button.

Once you have completed your selection, click Next.

Note: This dialog only appears if you previously selected an input in the input selection page.

7. "Specify a Deployment Server" dialog

62 UFInstaller DeploymentServer.png

Enter the hostname or IP address and management port for your deployment server. The default management port is 8089. Skip this step if using Splunk Cloud, unless you have an on-premises Deployment Server.

You can use the deployment server to push configuration updates to the universal forwarder. See "About deployment server" in the Updating Splunk Enterprise Instances manual for details.

Note: This step is optional, but if you skip it, you should enter a receiving indexer in step 6; otherwise, the universal forwarder does not do anything, as it does not have any way of determining which indexer to forward data to. You can configure the forwarder with configuration files later.

8. "Specify Receiving Indexer" dialog

62 UFInstaller Receiver.png

Enter the hostname or IP address and receiving port of the receiving indexer (receiver). For information on setting up a receiver, see "Enable a receiver". Skip this step if using Splunk Cloud.

Note: This step is optional, but if you skip it, you should enter a deployment server in step 5; otherwise, the universal forwarder does not do anything, as it does not have any way of determining which indexer to forward to. A popup message appears which notes this. You can configure the forwarder with configuration files later.

9. "Ready to Install the Program" dialog

62 UFInstaller Summary.png

Click Install to proceed.

The installer runs and displays the Installation Completed dialog.

62 UFInstaller Complete.png

Once the installation is complete, the universal forwarder automatically starts. SplunkForwarder is the name of the universal forwarder service. You should confirm that it is running.

Considerations for enabling data inputs in the installer

If you enable data inputs in the "Enable Inputs" dialog box when installing the universal forwarder, the installer saves the configuration that enables those inputs into the Splunk Add-on for Windows that comes with the installer. This configuration includes index definitions.

This means that the indexer that this forwarder sends data to must already have those indexes defined. The indexes are:

  • perfmon for Performance Monitoring inputs.
  • windows for generic Windows inputs.
  • wineventlog for Windows Event Log inputs.

By default, indexers do not have these indexes defined. To address that, either define the indexes before performing a universal forwarder installation, or install the Splunk Add-on for Windows onto the indexer. This is a Splunk best practice.

Install the universal forwarder in "low-privilege" mode

When you specify a domain user and choose not to give that user local administrator rights, the forwarder installs and runs in "low-privilege" mode.

There are some caveats to doing so:

  • You do not have administrative access to any resources on either the server or the domain when you run the universal forwarder in low-privilege mode.
  • You might need to add the domain user to additional domain groups in order to access remote resources. Additionally, you might need to add the user to local groups to access local resources that only privileged users would have access to.
  • You cannot collect Windows Management Instrumentation (WMI) data as a non-admin user.

To enable "low privilege" mode, uncheck the "Add user as local administrator" checkbox on the user selection dialog pane during the installation process.

Test the deployment

Test your configured universal forwarder on a single machine, to make sure it functions correctly, before deploying the universal forwarder across your environment. Confirm that the universal forwarder is getting the desired inputs and sending the right outputs to the indexer.

If you migrated from an existing forwarder, make sure that the universal forwarder is forwarding data from where the old forwarder left off. If it isn't, you need to modify or add data inputs, so that they conform to those on the old forwarder.

Important: Migration does not automatically copy any configuration files. You must set those up yourself. The usual way to do this is to copy the files, including inputs.conf, from the old forwarder to the universal forwarder. Compare the inputs.conf files on the universal forwarder and the old forwarder to ensure that the universal forwarder has all the inputs that you want to maintain.

If you migrated from an existing forwarder, you can delete that old instance once your universal forwarder has been thoroughly tested and you're comfortable with the results.

Perform additional configuration

You can update your universal forwarder's configuration, post-installation, by directly editing its configuration files, such as inputs.conf and outputs.conf. You can also update the configuration using the CLI. See "Configure the universal forwarder" for information.

Note: When you use the CLI, you might need to authenticate into the forwarder to complete commands. The default credentials for a universal forwarder are:

Username: admin
Password: changeme

For information on distributing configuration changes across multiple universal forwarders, see "About deployment server" in the Updating Splunk Enterprise Instances manual.

Deploy the universal forwarder across your environment

If you need just a few universal forwarders, you might find it simpler just to repeat the manual installation process, as documented in this topic. If you need to install a larger number of universal forwarders, it will probably be easier to deploy them remotely with a deployment tool or else as part of a system image or virtual machine.

Uninstall the universal forwarder

To uninstall the universal forwarder, perform the following steps:

1. Use the Services MMC snap-in (Start > Administrative Tools > Services) to stop the SplunkForwarder service.

Note: You can also stop the service from the command line with the following command:

NET STOP SplunkForwarder

2. Next, use the Add or Remove Programs control panel to uninstall the forwarder. On Windows 7, 8, Server 2008, and Server 2012, that option is available under Programs and Features.

Note: Under some circumstances, the Microsoft installer might present a reboot prompt during the uninstall process. You can safely ignore this request without rebooting.

Last modified on 19 April, 2016
Migrate from a light forwarder
Deploy a Windows universal forwarder via the command line

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters