Body
This document outlines a set of instructions that were performed on a Red Hat Linux system. These instructions are applicable to any system that uses the RPM style package management system.
Splunk Doc:
Install the Splunk Universal Forwarder and start the process
- Install in the default directory
opt/splunkforwarder:
rpm -i /tmp/splunkforwarder-9.2.1-78803f08aabb.x86_64.rpm
- Start splunk the first time:
/opt/splunkforwarder/bin/splunk start --accept-license
Enable the Universal Forwarder to start on boot
/opt/splunkforwarder/bin/splunk enable boot-start -systemd-managed 0
Configuring the Deployment Server:
Try one of the following:
/opt/splunkforwarder/bin/splunk set deploy-poll deployment.splunk.uic.edu:8089
-
Edit deploymentclient.conf
You can also directly create and edit a deploymentclient.conf file in $SPLUNK_HOME/etc/system/local.
cd /opt/splunkforwarder/etc/system/local
vi deploymentclient.conf
[deployment-client]
[target-broker:deploymentServer]
targetUri = deployment.splunk.uic.edu:8089
### make sure change the owner of deploymentclient.conf to splunkfwd
chown splunkfwd:splunkfwd deploymentclient.conf
Restart the Universal Forwarder & it should begin connecting to the deployment server shortly after the restart is complete
/opt/splunkforwarder/bin/splunk restart
Verify service is running as splunk user:
Configure Firewall Rules
Make sure firewall allows traffic to 8089/tcp on splunk-deployment.server.uic.edu (131.193.68.94) and inputs1.illinoischicago.splunkcloud.com:9997, .. inputs15.illinoischicago.splunkcloud.com:9997