How can I install Splunk universal forwarder on Linux?

Body

This document outlines a set of instructions that were performed on a Red Hat Linux system. These instructions are applicable to any system that uses the RPM style package management system.
 
The Linux Install should be performed as root. Download installation files from: https://uofi.box.com/v/splunk
Note: Version numbers on images below are not typically updated as newer versions come out. The install method is still the same.
 
Splunk Doc:
https://help.splunk.com/en/splunk-enterprise/forward-and-process-data/universal-forwarder-manual/9.4/install-the-universal-forwarder/install-a-nix-universal-forwarder

 

Install the Splunk Universal Forwarder and start the process

  •  Install in the default directory /opt/splunkforwarder: 
rpm -i /tmp/splunkforwarder-9.2.1-78803f08aabb.x86_64.rpm
  • Start splunk the first time:
/opt/splunkforwarder/bin/splunk start --accept-license
Output:
 

 

Enable the Universal Forwarder to start on boot

  • Stop splunkd
/opt/splunkforwarder/bin/splunk stop
  • You may need to remove the splunk init script located in /etc/init.d
[sudo] /opt/splunkforwarder/bin/splunk disable boot-start
  • Enable boot-start with systemd
/opt/splunkforwarder/bin/splunk enable boot-start -systemd-managed 1
### full command
/opt/splunkforwarder/bin/splunk enable boot-start -systemd-managed 1 -user <username> -group <groupname>

Note: Specifying -user and -group is optional but recommended. If you do not specify -user, the SPLUNK_OS_USER in splunk-launch.conf is used. If SPLUNK_OS_USER is not defined, the owner of the splunk binary is used.

 

Configuring the Deployment Server:

Try one of the following:

  • Use the CLI

/opt/splunkforwarder/bin/splunk set deploy-poll deployment.splunk.uic.edu:8089

  • Edit deploymentclient.conf

            You can also directly create and edit a deploymentclient.conf file in $SPLUNK_HOME/etc/system/local.

cd /opt/splunkforwarder/etc/system/local 

vi deploymentclient.conf 

[deployment-client]
 
[target-broker:deploymentServer]
targetUri = deployment.splunk.uic.edu:8089

### make sure change the owner of deploymentclient.conf to splunkfwd

chown splunkfwd:splunkfwd deploymentclient.conf

Start the Universal Forwarder & it should begin connecting to the deployment server shortly after the restart is complete

/opt/splunkforwarder/bin/splunk start

Verify service is running as splunk user:

ps -ef | grep splunkd

Configure Firewall Rules

Make sure firewall allows outbound traffic to:
  • https://deployment.splunk.uic.edu:8089
  • inputs1.illinoischicago.splunkcloud.com:9997, .. inputs15.illinoischicago.splunkcloud.com:9997

Details

Details

Article ID: 879
Created
Fri 1/15/21 7:12 PM
Modified
Mon 12/22/25 11:38 AM

Related Services / Offerings

Related Services / Offerings (1)

Event Logging
A software platform used to search, analyze and visualize any type of machine-generated data gathered for data processing to create reports, dashboards and alerts.