Deployment Tasks: Install the Splunk Universal Forwarders software on the target Windows Systems Deployment Tasks: Manually Copy the pre-configured Windows TA's to the target windows systems. Deployment Tasks: Install the Splunk Cloud Credentials app on the Splunk Universal Forwarders.

Install the Splunk Universal Forwarder on the Target Systems

We will now cover the steps to enable and configure the Receiving Port on your Splunk Indexer(s) using the Splunk Web console.

  • Now you need to install a Universal Forwarder on each of the Windows servers from which you want data. The easiest way to do this is to run the installer on your server.
  • Configure a receiver using the command line:
    1. If you didn't previously Download the Splunk Universal Forwarder, then Click Here to download it to your local system. You can then copy it to a network share that the target systems have access to.
    2. Double-click the MSI file to start the installation.
    3. (Optional) To view the license agreement, click the "View License Agreement" button.
    4. Select the Check this box to accept the License Agreement check box.
    5. Uncheck the Use this UniversalForwarder with on-premises Splunk Enterprise... checkbox Check the Use this UniversalForwarder with on-premises Splunk Enterprise... checkbox Check the Use this UniversalForwarder with on-premises Splunk Enterprise... checkbox Check the Use this UniversalForwarder with on-premises Splunk Enterprise... checkbox
    6. To change any of the default installation settings, click the "Customize Options" button and open the below toggle view Customize Options to see the steps. Otherwise, click Next to proceed to the next steps.
      "Customize Options"
      1. (Optional) Click Change to specify a different installation directory.
      2. (Optional) Select an SSL certificate to verify the identity of this machine.
        • Depending on your certificate requirements, you might need to specify a password and a Root Certificate Authority (CA) certificate to verify the identity of the certificate. If not, these fields can be left blank.
        3.
      3. Select the Local System (Recommended) or Domain Account check box and click Next
        • If you specify Local System, the installer displays the Enable Windows Inputs dialog box.
        • If you specify Domain account, the installer displays a second dialog box where you enter domain and user information.
      4. If you selected "Domain account", the installer displays a dialog box for user name and password credentials. Enter the user name and password into the User name and Password fields. Specify the user name in domain\username format only, or the installation can fail.
        • Enter the password again in the Confirm password field.
        • To add the domain user you specified to the local Administrators group, select the "Add user as local administrator" check box and click Next. The installer adds the domain user you specified to the local Administrators group.
          • If you do not select the "Add user as local administrator" check box, the universal forwarder installs in "low-privilege" mode. See "Run the universal forwarder in low-privilege mode" later in this topic for additional information and caveats.
      5. Do Not Enable any of these inputs. This will be done by the pre-defined TA's that will be deployed to the target Systems. Click Next.

      End of Customization Steps:

    7. Create credentials for the Splunk administrator user, then click Next.
      • You must complete this action, as installation of the universal forwarder cannot proceed without it. If you do not specify a username, the universal forwarder installer creates the admin user during the installation process.
    8. In the In the Deployment Server field, enter the name of the deployment server. For example, win2016-splk-ds. As a best practice, include the full DNS name. For the port, enter port 8089 to allow the Universal Forwarder to communicate with the deployment server. Then click Next.
      9.
    9. In the Deployment Server pane, leave the value blank since you are not leveraging a Splunk Deployment Server, and click Next.
    10. In the Receiving Indexer pane, enter a host name or IP address and the receiving port for the Splunk Indexer(s) that you want the universal forwarder to send data to and click Next.
      11.
    11. In the Receiving Indexer pane, enter a host name or IP address and the receiving port for the Splunk Heavy/Gateway Forwarder that you want the universal forwarder to send data to and click Next.
      12.
    12. In the Receiving Indexer pane, enter a host name or IP address and the receiving port for the Splunk Heavy/Gateway Forwarder that you want the universal forwarder to send data to and click Next.
      13.
    13. In the Receiving Indexer pane, leave the value blank and click Next.
      14.
    14. Click Install to proceed.
    15. The installer runs and displays the Installation Completed dialog. The universal forwarder starts automatically.
    16. From the Control Panel, confirm that the SplunkForwarder service runs.
Copy the Pre-Defined TA's to your target Windows Systems.

Complete the below 3 steps while leveraging the table above each step for guidance.

  • Validate - Network Share with previously prepared Windows TA's (\\Network_Share\Splunk UF TAs\)
  • \\Network_Share
    • ...\Splunk UF TAs
      • ...\Base Windows
        • ...\Splunk_TA_windows
      • ...\Domain Controllers
        • ...\Splunk_TA_windows
        • ...\Splunk_TA_windows_dc
      • ...\AD admon Monitor
        • ...\Splunk_TA_windows_admon
  1. First, review the above list, \\Network Share\Splunk UF TAs\, against your directory, if it is different then review the previous Preparation Task: Prepare the TA Examples for Deploying to your Splunk Universal Forwarders to verify all the steps were completed.

  • Deploy Windows TA's to all targeted AD Domain Controllers

\\Network_Share\Splunk UF TAs\Domain Controllers\

...\Splunk_UniversalForwarder\etc\apps\
  • \\Network_Share
    • ...\Splunk UF TAs
      • ...\Domain Controllers
        • ...\Splunk_TA_windows
        • ...\Splunk_TA_windows_dc
      • ...\AD admon Monitor
        • ...\Splunk_TA_windows_admon
  • ...\SplunkUniversalForwarder
    • ...\etc
      • ...\apps
  1. Login to the target AD Domain Controller Server
  2. Using a file explorer, navigate to the \\Network_Share\Splunk UF TAs\Domain Controllers\ directory.
  3. Copy both the complete Splunk_TA_windows AND Splunk_TA_windows_dc folders.
  4. Paste them on the local system in the ...\Splunk_UniversalForwarder\etc\apps\ directory.
  5. Required: Complete the following addition steps on Only One of your AD Domain Controllers Per AD Domain:
    1. Using a file explorer, navigate to the \\Network_Share\Splunk UF TAs\AD admon Monitor\ directory.
    2. Copy the complete Splunk_TA_windows_admon folder.
    3. Paste it on the local system in the ...\Splunk_UniversalForwarder\etc\apps\ directory.
    • You can use a Member Server (Non-Domain Controller) for collecting the admon data instead of an AD Domain Controller, but it does have some con's, such as slower extraction speeds and requiring the Splunk Universal Forwarder to run as an AD Domain Account.
  6. Restart the Splunk Forwarder Service.

  • Deploy Windows TA's to all targeted Member Servers

\\Network_Share\Splunk UF TAs\Base Windows\

...\Splunk_UniversalForwarder\etc\apps\
  • \\Network_Share
    • ...\Splunk UF TAs
      • ...\Base Windows
        • ...\Splunk_TA_windows
      • ...\AD admon Monitor
        • ...\Splunk_TA_windows_admon
  • ...\SplunkUniversalForwarder
    • ...\etc
      • ...\apps
  1. Login to the target Windows Member Server (Non-AD Domain Controller)
  2. Using a file explorer, navigate to the \\Network_Share\Splunk UF TAs\Base Windows\ directory.
  3. Copy the complete Splunk_TA_windows folder.
  4. Paste it on the local system in the ...\Splunk_UniversalForwarder\etc\apps\ directory.
  5. Only do this step if you did not deploy the Splunk_TA_windows_admon TA to one of your AD Domain Controllers in Step 2. Perform the below steps on Only one Member Server Per AD Domain:
    1. Using a file explorer, navigate to the \\Network_Share\Splunk UF TAs\AD admon Monitor\ directory.
    2. Copy the complete Splunk_TA_windows_admon folder.
    3. Paste it on the local system in the ...\Splunk_UniversalForwarder\etc\apps\ directory.
    • If you choose to use a Member Server for collecting the admon data, then you will need to update the Splunk Forwarder service to run as an AD account that has Read rights to the Active Directory.
  6. Restart the Splunk Forwarder Service.

Validate Configuration: Review the below table to verify the correct Windows TA's were deployed to the correct systems.

AD Domain Controllers

Member Servers
  • ...\SplunkUniversalForwarder\etc\apps
    • ...\Splunk_TA_windows
    • ...\Splunk_TA_windows_dc
    • ...\Splunk_TA_windows_admon
  • ...\SplunkUniversalForwarder\etc\apps
    • ...\Splunk_TA_windows
    • ...\Splunk_TA_windows_admon

The Splunk_TA_windows_admon TA needs to be on only one system per AD Domain, either a single AD Domain Controller OR Member Server per domain.
Install the Splunk Cloud Credentials App

We will now cover the steps to install the Splunk Cloud Credentials Application on the Splunk Universal Forwarder(s).

  • If you didn't previously download the Splunk Cloud Credentials App Click for instructions.
  • If you already have the Splunk Cloud Credentials App installed on your Splunk Universal Forwarder, then skip to this step.
  1. Login to your Splunk Universal Forwarder system.
  2. Using File Explorer, open the Network Share where you downloaded the Splunk Cloud Credentials App
  3. Copy the splunkclouduf.spl file and paste it into the $SPLUNK_HOME/etc/apps/ (Ex: C:\Program Files\SplunkUniversalForwarder\etc\apps) directory on your forwarder.
  4. Open a command prompt window in RunAs Administrator mode and navigate into the $SPLUNK_HOME/bin/ (Ex: C:\Program Files\SplunkUniversalForwarder\bin) directory.
  5. Run the following command:
    • Replace the <full path to splunkclouduf.spl> with the location of your $SPLUNK_HOME/etc/apps directory.
    • Replace the <username>:<password> with the Splunk username and password used when you installed the Splunk Universal Forwarder
    • splunk install app <full path to splunkclouduf.spl> -auth <username>:<password>
    • Example: splunk install app "C:\Program Files\SplunkUniversalForwarder\etc\apps\splunkclouduf.spl" -auth admin:myPassw0rd
  6. Restart your forwarder with the following command: 
    splunk restart.