This blog illustrated how to install universal Splunk forwarder.
As mentioned from my previous tutorial Splunk Tutorial 07: Different type of forwarders in Splunk
“A forwarder, is an interface allowing system to forward logs or data into a Splunk instance that is installed in a different computer.”
In order to practice the splunk forwarder. it is strongly recommended to install the fowarder in a virtual machine. Therefore, before preparing this tutorial. I have installed a virtual machine an additional legal windows 10 license.
And following is my screen.
Left side is the Splunk application in my current computer while the bottom right screen is the virtual machine.
The steps of installing Splunk Universal Forwarder can be divided into three stage:
- Setup Splunk receiver from the Spunk instance
- Download splunk universal forwarder from Splunk
- Install Splunk Universal Forwarder
Note: A Splunk instance needs to have a receiver in order to receive data from forwarder. No matter what type of forwarders we are installing.
1. Setup Splunk receiver from the Spunk instance
Following is the steps to setup a Splunk receiver.
- Login Splunk Enterprise
- Click “Forwarding and Receiving” under “Setting”
- Click “Configure receiving”
- Click “New Receiving Port”
- Enter the port number for the receiver. By default it will 9997. However, any number is fine as long as you can remember and also it is not used by other applications. (such as port 80 is NOT OKAY as it is used for web server)
- Now the listener have been setup successfully
2. Download splunk universal forwarder from Splunk
Splunk universal forwarder can be download from Splunk.com.
Following is the steps to download Splunk universal Forwarder
- Goto www.splunk.com
- “Free Trials & Downloads” under “Products” from Splunk.com
- Scroll to “Splunk Universal Forwarder” and click “Download Now”
- Login with your Splunk Account
- Download Splunk Universal Forwarder for the right client platform. In our case will be according to the operation system of the virtual machine. (.i.e. 32 bit Windows 10)
3. Install Splunk Universal Forwarder
As long as both step 1 and 2 has been done, we are now ready to install the Splunk Universal Forwarder. However, beforehand, I would suggest you to record down the IP address of the Splunk instance. I mean the IP address of the Splunk instance unless your computer have DNS services.
You need to make sure that your virtual machine can communicate to your Splunk instance as same as communication between two physical computers. Otherwise, it is for sure that your Splunk Universal Forwarder won’t work. To m, I am not a profession of networking. I simply use the following two command prompt command to check my connection
- run ipconfig/all from command prompt in my own physical computer. This will should me two information:Host Name and my IP address.For Example:Host Name : ACapturerComputer
IP Address : 192.168.0.1
- run the ping command from the command prompt in my virtual machine to ping my physical computer from the virtual machineFor Example:Ping ACapturerComputerORping 192.168.0.1If I have no error message returned than I know that my virtual computer can communicate to my physical computer as same as communication between two individual computers.
This may be a bit painful, especially when you are not familiar with Virtual machine and or network setting. However, once this is done, everything will be straight forward.
Once it is done, following is the steps to install Splunk Unviersal Forwarder
- Run the file that just downloaded from above steps
- Accept the License Agreement and click “Customize Options” (NOT NEXT) *
- Select the path where the Universal Forwarder should be installed under.
- Enter a SSL Certificate password. and click “Next”
- Install the Universal Forwarder as “Local System”
- Select Event’s that you want to capture.
It is not compulsory to select all type of events. Only select the type of events that you need to capture. It is because over selection will simply create “notice” to the Splunk Enterprise instance.
- Enter an administrator password for this Universal Forwarder
- Enter the Hostname or IP for the Splunk Server. However, at this stage we leave it blank and click “Next” as we are not using deployment server at the moment.
- Enter the Hostname or IP for the Receiving Indexer. In here, we enter the information of the receiver we have just setup. (i.e. the IP address of the Splunk server and also the port number of the receiver)
- Now, Splunk Universal Forwarder is ready to install. Click “Install” to install
- After it is installed. Click “Finish” to close the install wizard.
* We go for Customize Options instead of click “NEXT” because we want to select the type of events we want to capture.
Also, just to bear in mind that the forwarder does not have a screen. However, you can goto service and check the following service have been installed or not
It is good if it is up and running..
Other way to check it is go to Splunk enterprise and go for a new search:
Host = name or IP of the virtual machine.
For Example :
If you got a log, than it is okay.