Splunk Tutorial 08 : Installing Universal Splunk Forwarder.

This blog illustrated how to install universal Splunk forwarder.

As mentioned from my previous tutorial Splunk Tutorial 07: Different type of forwarders in Splunk

“A forwarder, is an interface allowing system to forward logs or data into a Splunk instance that is installed in a different computer.”

In order to practice the splunk forwarder. it is strongly recommended to install the fowarder in a virtual machine. Therefore, before preparing this tutorial. I have installed a virtual machine an additional legal windows 10 license.

And following is my screen.

Splunk Forwarder Virtual Machine

Left side is the Splunk application in my current computer while the bottom right screen is the virtual machine.

The steps of installing Splunk Universal Forwarder can be divided into three stage:

  1. Setup Splunk receiver from the Spunk instance
  2. Download splunk universal forwarder from Splunk
  3. Install Splunk Universal Forwarder

Note: A Splunk instance needs to have a receiver in order to receive data from forwarder. No matter what type of forwarders we are installing.

1. Setup Splunk receiver from the Spunk instance

Following is the steps to setup a Splunk receiver.

  1. Login Splunk Enterprise1. Login Splunk enterprise
  2. Click “Forwarding and Receiving” under “Setting”
    2. Click "Forwarding and Receiving" under "Setting"
  3. Click “Configure receiving”3. Click "Configure receiving"
  4. Click “New Receiving Port”4. Click "New Receiving Port"
  5. Enter the port number for the receiver. By default it will 9997. However, any number is fine as long as you can remember and also it is not used by other applications. (such as port 80 is NOT OKAY  as it is used for web server)
    Enter the port number for the receiver.
  6. Now the listener have been setup successfullyNow the listener have been setup successfully

2. Download splunk universal forwarder from Splunk

Splunk universal forwarder can be download from Splunk.com.

Following is the steps to download Splunk universal Forwarder

  1. Goto www.splunk.com
  2. “Free Trials & Downloads” under “Products” from Splunk.com"Free Trials & Downloads" under "Products" from Splunk.com
  3. Scroll to “Splunk Universal Forwarder” and click “Download Now”Download Splunk Universal Forwarder
  4. Login with your Splunk AccountLogin with your Splunk Account
  5. Download Splunk Universal Forwarder for the right client platform. In our case will be according to the operation system of the virtual machine. (.i.e. 32 bit Windows 10)Download Splunk Universal Forwarder for the right client platform

3. Install Splunk Universal Forwarder

As  long as both step 1 and 2 has been done, we are now ready to install the Splunk Universal Forwarder. However, beforehand, I would suggest you to record down the IP address of the Splunk instance. I mean the IP address of the Splunk instance unless your computer have DNS services.

You need to make sure that your virtual machine can communicate to your Splunk instance as same as communication between two physical computers. Otherwise, it is for sure that your Splunk Universal Forwarder won’t work. To  m, I am not a profession of networking. I simply use the following two command prompt command to check my connection

  1. run ipconfig/all from command prompt in my own physical computer. This will should me two information:Host Name and my IP address.For Example:Host Name     :  ACapturerComputer
    IP Address      : 192.168.0.1
  2. run the ping command from the command prompt in my  virtual machine to ping my physical computer from the virtual machineFor Example:Ping ACapturerComputerORping 192.168.0.1If I have no error message returned than I know that my virtual computer can communicate to my physical computer as same as communication between two individual computers.

This may be a bit painful, especially when you are not familiar with Virtual machine and or network setting. However, once this is done, everything will be straight forward.

Once it is done, following is the steps to install Splunk Unviersal Forwarder

  1. Run the file that just downloaded from above steps
  2. Accept the License Agreement and click “Customize Options” (NOT NEXT) *Accept the License Agreement and click "Customize Options" (NOT NEXT)
  3. Select the path where the Universal Forwarder should be installed under.Specify path for the Universal Forwarder
  4. Enter a SSL Certificate password. and click “Next”Enter SSL Certificate Password
  5. Install the Universal Forwarder as “Local System”Install the Universal Forwarder as "Local System"
  6. Select Event’s that you want to capture.Select Event's that you want to capture.
    It is not compulsory to select all type of events. Only select the type of events that you need to capture. It is because over selection will simply create “notice” to the Splunk Enterprise instance.
  7. Enter an administrator password for this Universal Forwarder
    Enter Administrator Password
  8. Enter the Hostname or IP for the Splunk Server. However, at this stage we leave it blank and click “Next” as we are not using deployment server at the moment.Enter the Hostname or IP for the Splunk Server
  9. Enter the Hostname or IP for the Receiving Indexer. In here, we enter the information of the receiver we have just setup. (i.e. the IP address of the Splunk server and also the port number of the receiver)Enter the Hostname or IP for the Receiving Indexer
  10. Now, Splunk Universal Forwarder is ready to install. Click “Install” to installClick "Install"
  11. After it is installed. Click “Finish” to close the install wizard.

* We go for Customize Options instead of click “NEXT” because we want to select the type of events we want to capture.

Also, just to bear in mind that the forwarder does not have a screen. However, you can goto service and check the following service have been installed or not

“SplunkForwarder Service”

It is good if it is up and running..

Other way to check it is go to Splunk enterprise and go for a new search:

Host = name or IP of the virtual machine.

For Example :

Host =”192.168.0.2″

If you got a log, than it is okay.

Leave a Comment