Splunk windows universal forwarder

Think of a username and password and be ready to supply them when you perform the installation. If you do not supply at least a password during a silent installation, the universal forwarder can install without any users defined, which prevents login. You must then create a user-seed. The Windows universal forwarder installer installs and configures the universal forwarder to send data to an on-premises Splunk Enterprise instance. It offers you the option of migrating your checkpoint settings from an existing forwarder.

Do not install or run the bit version of the Splunk universal forwarder for Windows on a bit Windows system or an unsupported version of Windows. Do not install the universal forwarder over an existing installation of full Splunk Enterprise. When you install the universal forwarder on Windows, you can install with the default settings or customize installation options prior to installing. To understand the ramifications of the Windows user that the universal forwarder runs as, see Choose the user Splunk Enterprise should run as in the Installation Manual.

Perform at least one of the following two steps, or the universal forwarder cannot send data anywhere. If you chose "Customize options" in the Universal forwarder setup dialog box, the installer presents you with the following options.

You can enable inputs later, by editing inputs. See "Considerations for enabling data inputs in the installer" later in this topic about what happens when you enable inputs in this dialog. You must complete this action, as installation of the universal forwarder cannot proceed without it.

If you do not specify a username, the universal forwarder installer creates the admin user during the installation process.

Perform at least one of the next two steps. While both are optional, the forwarder does nothing if you perform neither step because it does not have a configuration.

An installation of the universal forwarder for Splunk Cloud iPlatform is similar to an installation for on-premises versions of Splunk Enterprise. Note: Perform at least one of the following two steps, or the universal forwarder cannot send data anywhere. Follow these instructions if you need to perform a detailed configuration of the universal forwarder for use with Splunk Cloud Platform.

When you specify a domain user during an installation and do not give that user local administrator rights, the forwarder installs and runs in "low-privilege" mode. Was this documentation topic helpful? Please select Yes No. Please specify the reason Please select The topic did not answer my question s I found an error I did not like the topic organization Other.

Enter your email address, and someone from the documentation team will respond to you:. Please provide your comments here. Ask a question or make a suggestion. Feedback submitted, thanks! You must be logged into splunk. Log in now. Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

Support Portal Submit a case ticket. Splunk Answers Ask Splunk experts questions. Contact Us Contact our customer support. Product Security Updates Keep your data secure. System Status.

Data-to-Everything Platform. A data platform built for expansive data access, powerful analytics and automation. Unified Security Operations. Security Incident Response. Digital Experience Monitoring. Logs for Observability. View all products. Cloud Transformation Transform your business in the cloud with Splunk. Digital Customer Experience Deliver the innovative and seamless experiences your customers expect.

Security Empower the business to innovate while limiting risks. IT Go from running the business to transforming it. DevOps Accelerate the delivery of exceptional user experiences.

Higher Education. Online Services. Financial Services. Public Sector. View all industries. Why Splunk? Bring data to every question, decision and action across your organization. Customer Stories See why organizations around the world trust Splunk. Partners Accelerate value with our powerful partner ecosystem.

Data-to-Everything Thrive in the Data Age and drive change with our data platform. Splunk Lantern Clear and actionable guidance from Splunk Experts.

Data Insider Focused primers on top technology topics. Documentation Find answers and guidance on how to use Splunk. User Groups Meet Splunk enthusiasts in your area. Community Get inspired and share knowledge. Customer Success Get specialized service and support.

Splunk Dev Create your own Splunk apps. Version 6. Toggle navigation Forwarder Manual. Introducing the universal forwarder. The universal forwarder About forwarding and receiving data. Before you install the Windows universal forwarder from a ZIP file, confirm that you have all of the following:. To get the file, you must contact your Support representative who can provide a download link.

After you install the universal forwarder, you can configure it to run as the Local System user or as another Windows user that you specify by editing the user in the Services control panel. The Local System user lets the universal forwarder collect any kind of data that is available on the local machine. It cannot collect data from other machines. A Domain account lets the forwarder run as the Windows user you specify. The forwarder has the permissions that have been assigned to that user, and collects data from resources across the domain or forest that the user has read access to.

It does not collect data from resources that the Windows user does not have access to. If you need to collect data from those resources, you must give the Windows user access to those resources. You must determine and configure the user that the universal forwarder should run as before installing the forwarder for remote Windows data collection. If you install as a domain user, specify a user that has access to the data you want to monitor. See Choose the Windows user Splunk should run as in the Splunk Enterprise Installation Manual for concepts and procedures on the user requirements that must be in place before you collect remote Windows data.

If your monitoring needs require that you install the universal forwarder to collect remote Windows data, then configure your Windows environment for the proper installation of the forwarder. The configuration process includes adding or editing Active Directory security groups and granting the Windows universal forwarder user access to those groups. It can also include creating and updating Group Policy Objects GPOs to provide further security and access for the user.

For step-by-step instructions on how to modify your Windows network, domain, or Active Directory forest, see Prepare your Windows network for a Splunk Enterprise installation as a network or domain user in the Splunk Enterprise Installation Manual. This procedure assumes that no other forwarder has been installed on the Windows machine.

If there are other forwarders that are present, see "Install additional forwarders" later in this topic. This part of the procedure is only required if you want to use the Registry monitor, the Network monitor, or the MonitorNoHandle file monitoring input.

These inputs have separate drivers that must be registered before they can be used with the universal forwarder instance. If you do not want to use these inputs, then proceed to the next section.

If you need to register Splunk monitoring drivers, confirm that you specify the commands exactly as shown. Errors in command syntax can severely damage your Windows installation. If you do not feel comfortable with the driver registration steps in this procedure, then install the universal forwarder with the installer. You must always specify the full path to confirm that the utility operates on the correct file.

Before starting the forwarder for the first time, you must create the Splunk admin account by editing user-seed. If you do not, the universal forwarder starts with no defined users, which means you cannot log into it and make changes. See Create a secure administrator password in Securing Splunk for more information on how to create a secure password for the admin account. After you have installed the first forwarder, you can install additional forwarders by changing the service name for the new instances.

Any forwarders that you previously installed on the machine should be running when you perform this installation. This forces the forwarder that you are installing to prompt you to choose a different network management port when it starts. Each universal forwarder must use its own network management port. If a forwarder that is already on the system uses a monitoring input that requires a driver, then this instance cannot monitor the same type of input.

For example, if a forwarder already monitors the Registry, then subsequent instances cannot monitor the Registry.

This is the same for the Network monitoring or MonitorNoHandle inputs. If you already have a universal forwarder installed on the machine, do not unpack the ZIP file into the same directory.

Was this documentation topic helpful? Please select Yes No. Please specify the reason Please select The topic did not answer my question s I found an error I did not like the topic organization Other.

Enter your email address, and someone from the documentation team will respond to you:. Please provide your comments here. Ask a question or make a suggestion. Feedback submitted, thanks! You must be logged into splunk. Log in now. Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

Support Portal Submit a case ticket. Splunk Answers Ask Splunk experts questions. Contact Us Contact our customer support. Product Security Updates Keep your data secure. System Status. Data-to-Everything Platform. Install universal forwarders in virtual and containerized environments.

Make a universal forwarder part of a host image Deploy and run a universal forwarder inside a Docker container. Start and stop the universal forwarder. Start the universal forwarder Stop the universal forwarder. Configure the universal forwarder. Configure the universal forwarder Configure forwarding with outputs. Upgrade the universal forwarder. Uninstall the universal forwarder.

Perform advanced configuration. Configure load balancing for Splunk Enterprise Configure a forwarder to use a SOCKS proxy Configure an intermediate forwarder Configure a forwarder to handle multiple pipeline sets Configure forwarding to Splunk Enterprise indexer clusters Control forwarder access Protect against loss of in-flight data.

Migrate from Splunk light forwarders. Troubleshoot forwarding. Troubleshoot the universal forwarder with Splunk Enterprise. Release Notes. Known issues Fixed issues Third-party software. Toggle navigation Hide Contents. Forwarder Manual. Nightly install of Universal Forwarder, random reg How to install a Windows universal forwarder via c Why aren't my command line flags working when inst Splunk Universal Forwarder command line install re How to install a Splunk universal forwarder via co How to deploy a Windows universal forwarder via th Universal Fowarder support Apps More.

Download topic as PDF Install a Windows universal forwarder from the command line You can install the universal forwarder on a Windows machine from a command prompt or a PowerShell window. When to install from the command line? Here are some scenarios where installing from the command line is useful: You want to install the forwarder, but do not want to start it right away.

You want to automate installation of the forwarder with a script. You want to install the forwarder on a machine that you will clone to other machines later. You run a version of Windows Server Core. Prerequisites for installing the universal forwarder on Windows Choose the Windows user the universal forwarder should run as When you install the universal forwarder, you can select the user it should run as.

You must give the universal forwarder a user account if you intend to do any of the following: Read Event Logs remotely Collect performance counters remotely Read network shares for log files Enumerate the Active Directory schema, using Active Directory monitoring See Choose the Windows user Splunk should run as in the Splunk Enterprise Installation Manual for concepts and procedures on the user requirements for collecting remote Windows data.

Configure your Windows environment prior to installation The following steps are high-level. Create a security group for the user that you want to run the universal forwarder as. Add the user you want the universal forwarder to run as to this group. Optional Set up the universal forwarder user as a managed service account. Use the Group Policy Management Console to assign desired security rights to the universal forwarder user.

For best results, make sure that your forwarder has permission to read wineventlog. If you use Active Directory, deploy the Group Policy objects with the updated settings. Have credentials for the Splunk admin user ready When you install the universal forwarder, you must create credentials for the Splunk administrator user. Install the universal forwarder with installation flags This method of installation acts like the method that is explained in Install the Windows universal forwarder from an installer , but does not ask some questions during the installation process, depending on the installation flags that you specify.

Review the supported command line flags table to determine the flags you need to accomplish your command line installation task. From a command prompt or PowerShell window, run the msiexec. Last modified on 01 December, Back To Top. Install a Windows universal forwarder from the command line When to install from the command line? Please select Yes No Please specify the reason Please select The topic did not answer my question s I found an error I did not like the topic organization Other Enter your email address, and someone from the documentation team will respond to you: Please provide your comments here.

Send Feedback Feedback submitted, thanks! Closing this box indicates that you accept our Cookie Policy. Agrees to the license. You must set this flag to Yes to perform a silent installation.

The flag does not work when you click the MSI to start installation. Specifies the installation directory. Do not install the universal forwarder over an existing installation of full Splunk Enterprise.

If you don't include these flags, the universal forwarder installs as the Local System user.