Splunk® Universal Forwarder

Forwarder Manual

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Universal Forwarder. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Install a Windows universal forwarder from the command line

You can install the universal forwarder on a Windows machine from a command prompt or a PowerShell window. To install the software with a GUI installer, see Install a Windows universal forwarder with the installer.

When to install from the command line?

Here are some scenarios where installing from the command line is useful:

  • You want to install the forwarder, but do not want to start it right away.
  • You want to automate installation of the forwarder with a script.
  • You want to install the forwarder on a machine that you will clone to other machines later.
  • You want to use a deployment tool such as Group Policy or System Center Configuration Manager.
  • You run a version of Windows Server Core.

Under some circumstances, the Microsoft installer might present a reboot prompt during the uninstall process. You can safely ignore this request without rebooting.

Prerequisites for installing the universal forwarder on Windows

Choose the Windows user the universal forwarder should run as

When you install the universal forwarder, you can select the user it should run as. By default, the forwarder installs as the Local System user. To specify a domain account to run the forwarder as, specify the LOGON_USERNAME and LOGON_PASSWORD flags in the installation command.

You can also install the forwarder as a user who is not an administrator on the local machine. Use the SET_ADMIN_USER installation flag to install the forwarder in "low privilege" mode.

If you install the forwarder as the Local System user, the forwarder can collect any kind of data that is available on the local machine. It cannot collect data from other machines. This is by design.

You must give the universal forwarder a user account if you intend to do any of the following:

  • Read Event Logs remotely
  • Collect performance counters remotely
  • Read network shares for log files
  • Enumerate the Active Directory schema, using Active Directory monitoring

See Choose the Windows user Splunk should run as in the Splunk Enterprise Installation Manual for concepts and procedures on the user requirements for collecting remote Windows data.

Configure your Windows environment prior to installation

The following steps are high-level. For step-by-step instructions, see Prepare your Windows network for a Splunk Enterprise installation as a network or domain user in the Splunk Enterprise Installation Manual.

  1. Create a security group for the user that you want to run the universal forwarder as.
  2. Add the user you want the universal forwarder to run as to this group.
  3. (Optional) Set up the universal forwarder user as a managed service account.
  4. Use the Group Policy Management Console to create and configure Group Policy or Local Security Policy objects for user rights assignments.
  5. Use the Group Policy Management Console to assign desired security rights to the universal forwarder user. For best results, make sure that your forwarder has permission to read wineventlog.
  6. If you use Active Directory, deploy the Group Policy objects with the updated settings.

Have credentials for the Splunk admin user ready

When you install the universal forwarder, you must create credentials for the Splunk administrator user. The installer does not create credentials for the user. Think of a user name and password and be ready to supply them when you perform the installation. If you do not supply at least a password during a silent installation, the universal forwarder can install without any users defined, which prevents login. You must then create a user-seed.conf file to fix the problem and restart the forwarder.

See Create secure administrator credentials in Securing Splunk for more information on how to create credentials for the Splunk administrator account.

Install the universal forwarder

You can install the forwarder with flags to prevent the installer from asking some questions, or you can specify the /quiet argument and set the AGREETOLICENSE flag for a completely silent installation.

For examples on how to install the universal forwarder from the command line, see "Examples" below.

Install the universal forwarder with installation flags

This method of installation acts like the method that is explained in Install the Windows universal forwarder from an installer, but does not ask some questions during the installation process, depending on the installation flags that you specify.

  1. Review the supported command line flags table to determine the flags you need to accomplish your command line installation task.
  2. From a command prompt or PowerShell window, run the msiexec.exe installer program with the appropriate flags, using the following syntax:
    msiexec.exe /i splunkuniversalforwarder.msi [<flag>=<value>]...[<flagN>=<value>]
    
  3. Follow the prompts on screen to complete the installation. Panes for flags that you have specified in the command line will not appear.

Install the universal forwarder silently

If your Windows machine has User Account Control (UAC) enabled, you must run a silent installation as a Windows administrator user.

  1. Review the supported command line flags table to determine the flags you need to accomplish the command-line installation task.
  2. From a command prompt or PowerShell window, run msiexec.exe with the appropriate flags and add AGREETOLICENSE=yes /quiet to the end of the command string, as follows:
    msiexec.exe /i splunkuniversalforwarder.msi [<flag>=<value>]...[<flagN>=<value>] AGREETOLICENSE=yes /quiet
    

The installation completes silently and the universal forwarder starts if there is no error during installation.

Install the universal forwarder in low-privilege mode

When you install the universal forwarder in low privilege mode, the Windows user that you specify during installation does not need to have administrative level privileges to run the forwarder software on the Windows machine.

There are some caveats to running the forwarder in low-privilege mode:

  • The Windows user that you use to install the forwarder must have local administrator privileges to perform the installation.
  • You do not have administrative access to any resources on either the host or the domain when you run the universal forwarder in low-privilege mode.
  • You might need to add the domain user to additional domain groups in order to access remote resources. Additionally, you might need to add the user to local groups to access local resources that only privileged users would have access to.
  • You cannot collect Windows Management Instrumentation (WMI) data as a non-admin user.
  1. Review the supported command line flags table to determine the flags you need to accomplish the command-line installation task.
  2. From a command prompt or PowerShell window, run msiexec.exe with the appropriate flags and add LOGON_USERNAME = <username> LOGON_PASSWORD = <password> SET_ADMIN_USER = 0 to the end of the command string.
    msiexec.exe /i splunkuniversalforwarder.msi [<flag>=<value>]...[<flagN>=<value>] LOGON_USERNAME=<username> LOGON_PASSWORD=<password> SET_ADMIN_USER=0
    
  3. (Optional) If you want to perform a silent installation, append AGREETOLICENSE=yes /quiet to the end of the command line string.
    msiexec.exe /i splunkuniversalforwarder.msi [<flag>=<value>]...[<flagN>=<value>] LOGON_USERNAME=<username> LOGON_PASSWORD=<password> SET_ADMIN_USER=0 AGREETOLICENSE=yes /quiet
    
  4. Follow the prompts on screen to complete the installation. Installer configuration panes for flags that you have specified in the command line do not appear.

The forwarder installs and runs in "low-privilege" mode.

Install the universal forwarder and enable verbose logging during installation

For more information on the msiexec logging command, see To set logging level on MS TechNet.

  1. Review the supported command line flags table to determine the flags you need to accomplish your command-line installation task.
  2. From a command prompt or PowerShell window, run the msiexec.exe installer program with the appropriate flags, using the following syntax:
    msiexec.exe /i splunkuniversalforwarder.msi [<flag>=<value>]...[<flagN>=<value>] /L*v logfile.txt
    
  3. Follow the prompts on screen to complete the installation. Installer configuration panes for flags that you have specified in the command line do not appear.

Supported command line flags

Command-line flags let you configure your forwarder at installation time. Using command-line flags, you can specify a number of settings, including:

  • The user the universal forwarder runs as. (When you specify this flag, confirm the user you specify has the appropriate permissions to access the content you want to forward.)
  • Whether or not the forwarder runs in "low-privilege" mode - as a user who does not have local administrative access.
  • The receiving Splunk instance that the universal forwarder will send data to.
  • A deployment server for updating the configuration.
  • The Windows event logs to index.
  • Whether the universal forwarder should start automatically when the installation is completed.

The installer for the full version of Splunk Enterprise has its own set of installation flags. For information on the full Splunk installer, see Install on Windows in the Splunk Enterprise Installation Manual.

The following list shows the flags available and provide a few examples of various configurations.

Flag Purpose Default
AGREETOLICENSE=Yes|No Agrees to the license. You must set this flag to Yes to perform a silent installation. The flag does not work when you click the MSI to start installation. No
INSTALLDIR="<directory_path>" Specifies the installation directory.

Do not install the universal forwarder over an existing installation of full Splunk Enterprise.

C:\Program Files\Splunk
UniversalForwarder
LOGON_USERNAME="<domain\username>"

LOGON_PASSWORD="<pass>"

Provide domain\username and password information for the user to run the SplunkForwarder service. Specify the domain with the username in the format: domain\username. If you don't include these flags, the universal forwarder installs as the Local System user. n/a
RECEIVING_INDEXER="<host:port>" (Optional) Specify the receiving indexer to which the universal forwarder will forward data. Enter the name (host name or IP address) and receiving port of the receiver. This flag accepts only a single receiver. To specify multiple receivers (to implement load balancing), configure this setting through the CLI or outputs.conf.

If you do not specify this flag and also do not specify DEPLOYMENT_SERVER, the universal forwarder cannot determine which indexer to forward to.

n/a
DEPLOYMENT_SERVER="<host:port>" Specify a deployment server for pushing configuration updates to the universal forwarder. Enter the deployment server name (hostname or IP address) and port.

Note: If you do not specify this flag and also do not specify RECEIVING_INDEXER, the universal forwarder cannot determine which indexer to forward to.

n/a
LAUNCHSPLUNK=1|0 Specify whether the universal forwarder should start when the installation finishes. 1 (yes)
SERVICESTARTTYPE=auto|manual Specify whether the universal forwarder should start when the system reboots.

By setting LAUNCHSPLUNK to 0 and SERVICESTARTTYPE to auto, you will cause the universal forwarder to not start forwarding until the next system boot. This is useful when you want to clone a system image.

auto
MONITOR_PATH="<directory_path>" Specify a file or directory to monitor. n/a



WINEVENTLOG_APP_ENABLE=1|0

WINEVENTLOG_SEC_ENABLE=1|0

WINEVENTLOG_SYS_ENABLE=1|0

WINEVENTLOG_FWD_ENABLE=1|0

WINEVENTLOG_SET_ENABLE=1|0

Enable these Windows event logs.

application

security

system

forwarders

setup

You can specify more than one of these flags in a command.

0 (no)
PERFMON=<input_type>,<input_type>,... Enable Performance Monitor inputs. <input_type> can be any of these:

cpu memory network diskspace

n/a
ENABLEADMON=1|0 Enable Active Directory monitoring for a remote deployment. 0 (not enabled)


CERTFILE=<c:\path\to\certfile.pem>

ROOTCACERTFILE=<c:\path\to\rootcacertfile.pem>

CERTPASSWORD=<password>

Supply SSL certificates:

Path to the cert file that contains the public/private key pair.

Path to the file that contains the Root CA cert for verifying CERTFILE is legitimate (optional).

Password for private key of CERTFILE (optional).

You must set RECEIVING_INDEXER for these flags to have any effect.

n/a
CLONEPREP=1|0 Delete any instance-specific data in preparation for creating a clone of a machine. This runs the splunk clone-prep-clear-config CLI command, which removes machine-specific information from configuration files after the instance runs for the first time. 0 (do not prepare the instance for cloning.)
SET_ADMIN_USER=1|0 Specify if the user you specify is an administrator. If you set this flag to 0, the universal forwarder runs in "low-privilege" mode as a user without administrator privileges on the local machine. This mode is available for customers that cannot run programs as an administrator on servers.

You must set both the LOGON_USERNAME and LOGON_PASSWORD flags when you set this flag.

1 (Install the universal forwarder as a user with administrative privileges. The universal forwarder runs in normal mode and not "low-privilege" mode.)
SPLUNKUSERNAME=<username> Create a username for the Splunk administrator user. If you specify a quiet installation with the /quiet flag, and do not specify this setting, then the software uses the default value of admin, but you must still specify a password with the SPLUNKPASSWORD or GENRANDOMPASSWORD flags for the installation to add the credentials successfully. N/A
SPLUNKPASSWORD=<password> Create a password for the Splunk administrator user. The password must meet eligibility requirements and be in plaintext. If you specify a quiet installation with the /quiet flag and do not specify this flag or the SPLUNKUSERNAME flag, then the universal forwarder installs without a user. and you must create one by editing the user-seed.conf configuration file. N/A
MINPASSWORDLEN=<positive integer> When using the SPLUNKPASSWORD flag to set a password, you can also set password eligibility requirements for password creation and modification. The MINPASSWORDLEN flag specifies the minimum length that a password must be to meet these eligibility requirements going forward. It cannot be set to 0 or a negative integer. Any new password you create and any existing password you change must meet the new requirements after you set this flag. > 1
MINPASSWORDDIGITLEN=<integer> When using the SPLUNKPASSWORD flag to set a password, you can also set password eligibility requirements for password creation and modification. The MINPASSWORDDIGITLEN flag specifies the minimum number of numeral (0 through 9) characters that a password must contain to meet these eligibility requirements going forward. It cannot be set to a negative integer. Any new password you create and any existing password you change must meet the new requirements after you set this flag. 0
MINPASSWORDLOWERCASELEN=<integer> When using the SPLUNKPASSWORD flag to set a password, you can also set password eligibility requirements for password creation and modification. The MINPASSWORDLOWERCASELEN flag specifies the minimum number of lowercase ('a' through 'z') characters that a password must contain to meet these eligibility requirements going forward. It cannot be set to a negative integer. Any new password you create and any existing password you change must meet the new requirements after you set this flag. 0
MINPASSWORDUPPERCASELEN=<integer> When using the SPLUNKPASSWORD flag to set a password, you can also set password eligibility requirements for password creation and modification. The MINPASSWORDUPPERCASELEN flag specifies the minimum number of uppercase ('A' through 'Z') characters that a password must contain to meet these eligibility requirements going forward. It cannot be set to a negative integer. Any new password you create and any existing password you change must meet the new requirements after you set this flag. 0
MINPASSWORDSPECIALCHARLEN=<integer> When using the SPLUNKPASSWORD flag to set a password, you can also set password eligibility requirements for password creation and modification. The MINPASSWORDSPECIALCHARLEN flag specifies the minimum number of special characters that a password must contain to meet these eligibility requirements going forward. It cannot be set to a negative integer. The ':' (colon) character cannot be used as a special character. Any new password you create and any existing password you change must meet the new requirements after you set this flag. 0
GENRANDOMPASSWORD=1|0 Generate a random password for the admin user and write the password to the installation log file. The installer writes the credentials to %TEMP%\splunk.log. After the installation completes, you can use the findstr utility to search that file for the word "PASSWORD". After you get the credentials, delete the installation log file, as retaining the file represents a significant security risk. 0

Examples

Install the universal forwarder silently, agree to the license, and set the forwarder admin credentials to "SplunkAdmin/Ch@ng3d!"

You should always create a password for the Splunk admin user. If you do not, then the universal forwarder can start with no defined users, which means that you cannot log in or make changes to the initial forwarder configuration.

msiexec.exe /i splunkforwarder_x64.msi AGREETOLICENSE=yes SPLUNKUSERNAME=SplunkAdmin SPLUNKPASSWORD=Ch@ng3d! /quiet

Install the universal forwarder to run as the Local System user and request configuration from deploymentserver1

You might do this for new deployments of the forwarder.

msiexec.exe /i splunkuniversalforwarder_x86.msi DEPLOYMENT_SERVER="deploymentserver1:8089" AGREETOLICENSE=Yes /quiet

Install the universal forwarder to run as a domain user, but do not launch it immediately

You might do this when preparing a sample host for cloning.

msiexec.exe /i splunkuniversalforwarder_x86.msi LOGON_USERNAME="AD\splunk" LOGON_PASSWORD="splunk123" DEPLOYMENT_SERVER="deploymentserver1:8089" LAUNCHSPLUNK=0 AGREETOLICENSE=Yes /quiet

Install the universal forwarder, enable indexing of the Windows security and system event logs, and run the installer in silent mode

You might do this to collect just the Security and System event logs through a silent installation.

msiexec.exe /i splunkuniversalforwarder_x86.msi RECEIVING_INDEXER="indexer1:9997" WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 AGREETOLICENSE=Yes /quiet

Install the universal forwarder in low-privilege mode and enable verbose installation logging to a log file

You might do this when you need to run the forwarder as a user who does not have administrative privileges on the local server.

msiexec.exe /i splunkuniversalforwarder_x64.msi /l*v install_splunkforwarder-6.1-201357-x64-release.msi.log LOGON_USERNAME=adtest1\lowpriv-testuser LOGON_PASSWORD=win1@splunk 
AGREETOLICENSE=Yes SET_ADMIN_USER=0 /quiet
Last modified on 01 December, 2021
PREVIOUS
Install a Windows universal forwarder from an installer
  NEXT
Install a Windows universal forwarder from a ZIP file

This documentation applies to the following versions of Splunk® Universal Forwarder: 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters