Install the universal forwarder on FreeBSD

Important: Splunk does not offer an installation package for Splunk Enterprise version 6.3.0 or later on FreeBSD. It does, however, offer a universal forwarder installation package for FreeBSD versions 8, 9, and 10. These instructions detail how to install the universal forwarder on those versions of FreeBSD.

To use Splunk Enterprise on FreeBSD, you must download an older version of the Splunk software.

Prerequisites

For FreeBSD 8, only, the universal forwarder requires compatibility packages. To install the compatibility package:

1. Install the port:

portsnap fetch update

cd /usr/ports/misc/compat7x/ && make install clean

2. Add the package:

pkg_add -r compat7x-amd64

Basic install

Note: These instructions are for installing the universal forwarder only. There is no current version of Splunk Enterprise available for FreeBSD.

FreeBSD best practices maintain a small root filesystem. You might want to create a symbolic link to another filesystem and install Splunk there, rather than attempting to install in /opt.

1. Confirm that the /opt/splunkforwarder directories exist. If they do not, create them or link to another file system from there.

2. Install the universal forwarder on FreeBSD using the intel installer:

pkg_add splunkforwarder-intel.tgz

Important: This installs Splunk Enterprise in the default directory, /opt/splunkforwarder. If /opt does not exist and you have not created it, you might receive an error message.

To install Splunk Enterprise in a different directory:

pkg_add -v -p /usr/splunk splunkforwarder-intel.tgz

Tar file

Note: These instructions are for installing the universal forwarder tar file only. There is no current version of Splunk Enterprise available for FreeBSD.

Expand the universal forwarder tar file into an appropriate directory using the tar command. The default install directory is splunkforwarder in the current working directory.

tar xvzf splunkforwarder.tgz

To install into /opt/splunkforwarder, execute:

tar xvzf splunkforwarder.tgz -C /opt

Note: When you install the universal forwarder with a tar file:

• Some non-GNU versions of tar might not have the -C argument available. In this case, if you want to install in /opt/splunkforwarder, either cd to /opt or place the tar file in /opt before running the tar command. This method will work for any accessible directory on your machine's filesystem.
• The forwarder does not create the splunk user automatically. If you want Splunk Enterprise to run as a specific user, you must create the user manually before installing.
• Confirm that the disk partition has enough space to hold the uncompressed volume of the data you plan to keep indexed.

After you install

To ensure that the forwarder functions properly on FreeBSD, you must:

1. Add the following to /boot/loader.conf

kern.maxdsiz="2147483648" # 2GB
kern.dfldsiz="2147483648" # 2GB
machdep.hlt_cpus=0 

2. Add the following to /etc/sysctl.conf:

vm.max_proc_mmap=2147483647

You must restart FreeBSD for the changes to effect.

If your server has less than 2 GB of memory, reduce the values accordingly.

Start the universal forwarder

The universal forwarder can run as any user on the local system. If you run it as a non-root user, make sure that it has the appropriate permissions to read the inputs that you specify.

To start the forwarder from the command line interface, run the following command from the $SPLUNK_HOME/bin directory (where $SPLUNK_HOME is the directory into which you installed Splunk Enterprise):

 ./splunk start

By convention, this document uses:

• $SPLUNK_HOME to identify the path to your Splunk Enterprise installation.
• $SPLUNK_HOME/bin/ to indicate the location of the command line interface.

Startup options

The first time you start Splunk Enterprise after a new installation, you must accept the license agreement. To start Splunk Enterprise and accept the license in one step:

 $SPLUNK_HOME/bin/splunk start --accept-license

Note: There are two dashes before the accept-license option.