How can I install Splunk universal forwarder on Linux?

Linux Install: Should be done as root.
Download installation files from:
Adapted from:

Create the and configure the splunk user account

  1. adduser splunk 
  2. usermod -aG wheel splunk 
  3. passwd splunk  <== not necessary, unless you wish to directly login as splunk rather than escalate privileges

Download and install Splunk forwarder

  1. cd /opt/
  2. wget -O splunkforwarder-8.2.2-87344edfcdb4-Linux-x86_64.tgz ''
  3. tar xvzf splunkforwarder-8.2.2-87344edfcdb4-Linux-x86_64.tgz -C /opt/
  4. chown -R splunk:splunk splunkforwarder
  5. setfacl -Rm "u:splunk:r-x" /var/log

  6. setfacl -Rm d:user:splunk:r-x /var/log

  7. su - splunk
  8. /opt/splunkforwarder/bin/splunk start --accept-license
This appears to be your first time running this version of Splunk.
Create credentials for the administrator account.
Characters do not appear on the screen when you type the password.
Password must contain at least:
   * 8 total printable ASCII characters(s).
Please enter a new password:   <== password is independent of the splunk account password.

After verifying installation was successful, enable boot start, again as root. 

1. /opt/splunkforwarder/bin/splunk stop
2. /opt/splunkforwarder/bin/splunk enable boot-start -user splunk      
Init script installed at /etc/init.d/splunk.
Init script is configured to run at boot.

Install UIC Splunk deployment client app:

  1. Visit
  2. Transfer UIC_ALL_deploymentclient folder to /opt/splunkforwarder/etc/apps/
  3. chown -R splunk:splunk /opt/splunkforwarder
  4. /opt/splunkforwarder/bin/splunk start

Verify service is running as splunk user:

  1. ps -ef | grep splunk

Configure Firewall Rules

Open firewall ports for splunk 8089/tcp to ( and ( (


Article ID: 879
Fri 1/15/21 6:12 PM
Thu 9/9/21 10:23 AM