Open in app

Sign in

Write

Sign in

Splunk: Install Linux Universal Forwarder

Red Hat/Fedora/CentOS

DevOps Pro
2 min readApr 24, 2014

Installing a linux universal forwarder and configuring it as a deployment client This is a continuation to my previous post -
https://medium.com/splunk-admin/64c9ba9af17a

Install Splunk Universal Forwarder

  • Login to the splunk universal forwarder server and sudo to root.
$ sudo su — 
  • Download the splunk universal forwarder rpm.
$ cd /root$ wget -O splunkforwarder-6.0.2-196940-linux-2.6-x86_64.rpm 'http://www.splunk.com/page/download_track?file=6.0.2/universalforwarder/linux/splunkforwarder-6.0.2-196940-linux-2.6-x86_64.rpm&ac=adwords-syslog&wget=true&name=wget&platform=Linux&architecture=x86_64&version=6.0.2&product=splunk&typed=release'
  • Install the splunk universal forwarder.
$ rpm –ihv splunkforwarder-6.0.2-196940-linux-2.6-x86_64.rpm (OR)$ yum -y localinstall splunkforwarder-6.0.2-196940-linux-2.6-x86_64.rpm
  • Add splunk to $PATH. Add the following to ~/.bashrc or ~/.zshrc.
$ vi ~/.bashrc export SPLUNK_HOME="/opt/splunkforwarder" export PATH=$PATH:$SPLUNK_HOME/bin $ exec bash
  • Start the splunk universal forwarder.
$ splunk start —accept-license(Note: --accept-license option is needed only the first time the splunk indexer is started)
  • Configure the splunk forwarder to start at boot time
$ splunk enable boot-start

Configure the Splunk Universal forwarder to forward data

  • Add the splunk indexer as the forward server.
$ splunk add forward-server <splunk-indexer-hostname>:9997 -auth admin:changeme
  • Configure inputs for universal forwarder.
$ vi $SPLUNK_HOME/etc/system/local/inputs.conf[monitor:///var/log]

o This will forward all logs under the directory /var/log to the splunk indexer

  • Restart the splunk universal forwarder.
$ splunk restart

Configure the Splunk universal forwarder as a deployment client

  • Configure the linux universal forwarder as a deployment client.
$ vi $SPLUNK_HOME/etc/system/local/deploymentclient.conf[deployment-client]
clientName = LinuxForwarder[target-broker:deploymentServer]
targetUri= <splunk-indexer-hostname>:8089
  • Restart the universal forwarder.
$ splunk restart

--

--

DevOps Pro

Written by DevOps Pro

83 Followers

Continuous Delivery, PCP, RHCE, CCAH

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams