
Install the universal forwarder on FreeBSD
Important: Splunk does not offer an installation package for Splunk Enterprise version 6.3.0 or later on FreeBSD. It does, however, offer a universal forwarder installation package for FreeBSD versions 8, 9, and 10. These instructions detail how to install the universal forwarder on those versions of FreeBSD.
To use Splunk Enterprise on FreeBSD, you must download an older version of the Splunk software.
Prerequisites
For FreeBSD 8, only, the universal forwarder requires compatibility packages. To install the compatibility package:
1. Install the port:
portsnap fetch update
cd /usr/ports/misc/compat7x/ && make install clean
2. Add the package:
pkg_add -r compat7x-amd64
Basic install
Note: These instructions are for installing the universal forwarder only. There is no current version of Splunk Enterprise available for FreeBSD.
FreeBSD best practices maintain a small root filesystem. You might want to create a symbolic link to another filesystem and install Splunk there, rather than attempting to install in /opt
.
1. Confirm that the /opt/splunkforwarder
directories exist. If they do not, create them or link to another file system from there.
2. Install the universal forwarder on FreeBSD using the intel installer:
pkg_add splunkforwarder-intel.tgz
Important: This installs Splunk Enterprise in the default directory, /opt/splunkforwarder
. If /opt
does not exist and you have not created it, you might receive an error message.
To install Splunk Enterprise in a different directory:
pkg_add -v -p /usr/splunk splunkforwarder-intel.tgz
Tar file
Note: These instructions are for installing the universal forwarder tar file only. There is no current version of Splunk Enterprise available for FreeBSD.
Expand the universal forwarder tar file into an appropriate directory using the tar
command. The default install directory is splunkforwarder
in the current working directory.
tar xvzf splunkforwarder.tgz
To install into /opt/splunkforwarder
, execute:
tar xvzf splunkforwarder.tgz -C /opt
Note: When you install the universal forwarder with a tar file:
- Some non-GNU versions of
tar
might not have the-C
argument available. In this case, if you want to install in/opt/splunkforwarder
, eithercd
to/opt
or place the tar file in/opt
before running thetar
command. This method will work for any accessible directory on your machine's filesystem. - The forwarder does not create the
splunk
user automatically. If you want Splunk Enterprise to run as a specific user, you must create the user manually before installing. - Confirm that the disk partition has enough space to hold the uncompressed volume of the data you plan to keep indexed.
After you install
To ensure that the forwarder functions properly on FreeBSD, you must:
1. Add the following to /boot/loader.conf
kern.maxdsiz="2147483648" # 2GB kern.dfldsiz="2147483648" # 2GB machdep.hlt_cpus=0
2. Add the following to /etc/sysctl.conf
:
vm.max_proc_mmap=2147483647
You must restart FreeBSD for the changes to effect.
If your server has less than 2 GB of memory, reduce the values accordingly.
Start the universal forwarder
The universal forwarder can run as any user on the local system. If you run it as a non-root user, make sure that it has the appropriate permissions to read the inputs that you specify.
To start the forwarder from the command line interface, run the following command from the $SPLUNK_HOME/bin
directory (where $SPLUNK_HOME is the directory into which you installed Splunk Enterprise):
./splunk start
By convention, this document uses:
$SPLUNK_HOME
to identify the path to your Splunk Enterprise installation.$SPLUNK_HOME/bin/
to indicate the location of the command line interface.
Startup options
The first time you start Splunk Enterprise after a new installation, you must accept the license agreement. To start Splunk Enterprise and accept the license in one step:
$SPLUNK_HOME/bin/splunk start --accept-license
Note: There are two dashes before the accept-license
option.
PREVIOUS Install on Mac OS X |
NEXT Install the universal forwarder on AIX |
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14
Feedback submitted, thanks!