Splunk Universal Forwarder Guide for Linux

Splunk Universal Forwarder Guide for Linux

Installation
The universal forwarder is available on Linux as a tar file, an RPM package, or a DEB package.

However, we recommend installing the Splunk Universal Forwarder from a tar file.

1. Expand the tar file into an appropriate directory using the tar command. To install into
/opt/splunkforwarder, run:

tar xvzf splunkforwarder-<…>-Linux-x86_64.tgz -C /opt

Note:
Please change the filename of the tar file in the command based on the version you have
downloaded. Please refer the naming convention and command used below:
tar xvzf splunkforwarder-<…>-Linux-x86_64.tgz -C /opt

First Start
2. Start the universal forwarder and accept the license agreement, run:
cd /opt/splunkforwarder/bin
./splunk start --accept-license

The universal forwarder prompts for administrator credentials the first time you start it.

When you start the forwarder for the first time under most conditions, it prompts you to create
credentials for the Splunk administrator user. The following text appears:

This appears to be your first time running this version of Splunk.

Create credentials for the administrator account.

Characters do not appear on the screen when you type the password.

Please enter an administrator username:

3. Type in the name you want to use for the administrator user. This is the user that you log
into the universal forwarder with, not the user that you use to log into your machine or onto
splunk.com. You can press Enter to use the default username of admin. The following text
then appears:

Password must contain at least:

* 8 total printable ASCII character(s).
Please enter a new password:

BLUESIFY SOLUTIONS SDN. BHD.

D-18-2, Menara Suezcap, No. 2, Jalan Kerinchi,
Gerbang Kerinchi Lestari, 59200 Kuala Lumpur.
 Splunk Universal Forwarder Guide for Linux

4. Type in the password that you want to assign to the user. The password must meet the
requirements that the prompt displays.

Set the password and keep it safe for future troubleshooting in MAHB.

Password: <set a password>

Configuration
5. Configure the universal forwarder and specify the Deployment Server (DS) it will connect
to, and restart the universal forwarder for the change to take effect. For MAHB, the
Deployment Server address is LMAN.malaysiaairports.com.my:8089:

cd /opt/splunkforwarder/bin
./splunk set deploy-poll LMAN.malaysiaairports.com.my:8089
./splunk restart

6. Configure the universal forwarder to start on boot:

cd /opt/splunkforwarder/bin
./splunk enable boot-start

Management
The Universal Forwarder management commands are as below:

/opt/splunkforwarder/bin/splunk start : Starts the UF agent

/opt/splunkforwarder/bin/splunk stop : Stops the UF agent
/opt/splunkforwarder/bin/splunk restart : Restarts the UF agent
/opt/splunkforwarder/bin/splunk status : Shows the current status of the UF agent

Removal
The Universal Forwarder can be removed by deleting the entire /opt/splunkforwarder
directory.

References
• Install on Linux:
https://docs.splunk.com/Documentation/Forwarder/8.0.0/Forwarder/Installanixuniversalforwar
der#Install_the_universal_forwarder_on_Linux

BLUESIFY SOLUTIONS SDN. BHD.

D-18-2, Menara Suezcap, No. 2, Jalan Kerinchi,
Gerbang Kerinchi Lestari, 59200 Kuala Lumpur.
 Splunk Universal Forwarder Guide for Linux

• Start the universal forwarder:

https://docs.splunk.com/Documentation/Forwarder/8.0.0/Forwarder/Starttheuniversalforwarde
r

• Configure deployment clients:

https://docs.splunk.com/Documentation/Forwarder/8.0.0/Forwarder/InstallaWindowsuniversalf
orwarderfromaninstaller

BLUESIFY SOLUTIONS SDN. BHD.

D-18-2, Menara Suezcap, No. 2, Jalan Kerinchi,
Gerbang Kerinchi Lestari, 59200 Kuala Lumpur.