How to Deploy Universal Forwarder on Linux and Mac?

Are you try getting data from a Linux or Mac machines to your Splunk Indexer or Search Head? You are at the right place. We will help you deploying the Universal Forwarder on your Linux or Mac machines. The Splunk Universal Forwarder is a lightweight agent that allows you to efficiently gather and forward data from various sources to your Splunk indexers.

In this tutorial, we will guide you through the step-by-step process of installing, upgrading, and uninstalling the Universal Forwarder on both Linux and Mac operating systems. Whether you're a Splunk administrator or a curious IT professional, this post will provide you with the knowledge and confidence to successfully deploy the Universal Forwarder in your environment.

We'll cover the necessary prerequisites, download and installation steps, configuration tips, and best practices to ensure a smooth and effective deployment. By the end of this tutorial, you'll be well-equipped to harness the power of the Splunk Universal Forwarder on your Linux and Mac machines. Let's get started!

An Introduction to Splunk Universal Forwarders

Before we dive into the deployment process, let's take a moment to understand what Splunk Universal Forwarders (UFs) are and when you should use them. Splunk Universal Forwarders are lightweight agents designed to efficiently collect and forward data from various sources to your Splunk indexers. They play a crucial role in expanding your data collection capabilities and ensuring that valuable machine data is easily accessible for analysis and insights.

So, where can you download the Splunk Universal Forwarder? The Universal Forwarder is available for download from the official Splunk website. Splunk provides support for a wide range of platforms, including Linux, Windows, macOS, and more. Whether you're running a Linux server or a Mac workstation, you can easily find the appropriate Universal Forwarder package for your operating system.

Now, you might be wondering when you should use Universal Forwarders. The answer is simple: whenever you need to collect data from remote systems and forward it to your Splunk indexers. Universal Forwarders are particularly useful in scenarios where you have multiple machines or endpoints that generate valuable machine data. By deploying Universal Forwarders on these systems, you can efficiently collect and centralize the data for analysis and monitoring purposes.

Universal Forwarders are ideal for scenarios where you need to collect and forward log data from multiple sources to a central Splunk instance. Here are some common use cases:

By leveraging Universal Forwarders, you can streamline your data collection process, reduce the load on your indexers, and ensure that your Splunk environment has access to a comprehensive set of machine data for analysis and insights.

A Universal Procedure to Install Splunk UF on Linux and Mac

Now that you have a solid understanding of what Splunk Universal Forwarders (UF) are and when to use them, let's dive into the installation process. In this section, we'll walk you through the step-by-step procedure to install the Splunk Universal Forwarder on both Linux and Mac machines using tgz file. This is a universal installation method you can use it on any Linux distributions.

Installing Splunk Universal Forwarder on Linux

Prerequisites

Before you begin, ensure you have the following:

Step 1: Create User Splunk (Optional)

Well, It is optional to create a dedicated user, however, it is a recommended options because, it helps to isolate Splunk's processes and enhances security. So, let's create a user 'splunk' and set a password. Don't forget the user 'splunk' to add the 'sudoers' group too.

sudo adduser splunk

Step 2: Download the Universal Forwarder

1. Go to the Splunk Universal Forwarder download page. (Login may required to access the download page.)

2. Select the appropriate Linux version (e.g., 64-bit .tgz for Linux).

3. Download the package by copying the provided wget command.

cd /opt/

wget -O splunkforwarder-9.2.1-78803f08aabb-Linux-x86_64.tgz "https://download.splunk.com/products/universalforwarder/releases/9.2.1/linux/splunkforwarder-9.2.1-78803f08aabb-Linux-x86_64.tgz"

Note: At the time we wrote this article, v9.2.1 was the latest released version. You might see a different version depending on the time you download.

Step 3: Change the Ownership of the tgz File (Optional)

Switch the user to 'splunk' and change the user and group permissions of the tgz file from root to 'splunk' using the chown command.

su splunk

sudo chown splunk:splunk /opt/splunkforwarder-9.2.1-78803f08aabb-Linux-x86_64.tgz

Step 4: Install the Universal Forwarder

1. Open your terminal and navigate to the directory where you downloaded the package.

2. Extract the package using the following command:

sudo tar -xvzf     splunkforwarder-9.2.1-78803f08aabb-Linux-x86_64.tgz

Change the extracted directory permission to user and group 'splunk' as shown in the picture.

sudo chown -R splunk:splunk /opt/splunkforwarder

Step 5: Accept the License Agreement and Create an Administrator User

In this final step, you need to read and accept the license agreement and create a new administrator account for the Universal Forwarder.  To do that change the directory to the bin then run 'splunk status' command.

cd /opt/splunkforwarder/bin

./splunk status --accept-license

As soon as you enter the .splunk status command, License agreement will appear. Scroll to the down accept entering 'y'.

As soon as you accept the license agreement Splunk asks to create the admin user.

That's it. This completes the installation of Splunk Universal Forwarder on a Linux machine.

You can start the Universal Forwarder as Splunk instances. change the directory to /opt/splunkforwarder/bin then run this command.    

./splunk start

However, please be aware that you just installed the Universal Forwarder,  didn't configure the UF to receive machine data and forward it to the Indexer. You are yet to do that.

Installing Splunk Universal Forwarder on Mac

Prerequisites

Before you begin, ensure you have the following:

Step 1: Open Terminal and Navigate to the Download Directory

To download and install Splunk UF, you will need to use the Terminal application on your Mac.

1. Open the Terminal application. You can find it in the "Applications" folder under "Utilities" or by using Spotlight search (press Command + Space and type "Terminal").

2. Once the Terminal window opens, navigate to the directory where you want to download the Splunk package. You can use the cd command followed by the directory path. For example, to navigate to the Downloads folder, type:

cd ~/Downloads

Step 2: Download the Universal Forwarder

Now that you are in the desired download directory, you can use the 'curl' utility to download the Splunk package.

curl -0 --output splunkforwarder-9.2.1-78803f08aabb-darwin-64.tgz "https://download.splunk.com/products/universalforwarder/releases/9.2.1/osx/splunkforwarder-9.2.1-78803f08aabb-darwin-64.tgz"

Note: At the time we wrote this article, v9.2.1 was the latest released version. You might see a different version depending on the time you download.

Step 3: Create User Splunk (Optional)

Well, It is optional to create a dedicated user, however, it is a recommended option because it helps to isolate Splunk's processes and enhances security. To create a new user, follow these steps:

In the Terminal, type the following commands, pressing Enter after each line: These commands create a new user account named "splunk" with a home directory. /Users/splunk

sudo dscl . -create /Users/splunk
sudo dscl . -create /Users/splunk UserShell /bin/bash
sudo dscl . -create /Users/splunk RealName "Splunk User"
sudo dscl . -create /Users/splunk UniqueID 1001
sudo dscl . -create /Users/splunk PrimaryGroupID 1001
sudo dscl . -create /Users/splunk NFSHomeDirectory /Users/splunk

Set a password for the newly created user by typing: You will be prompted to enter and confirm the password.

sudo dscl . -passwd /Users/splunk

Step 4: Extract the Splunk Package

Now that you have downloaded the Splunk package, you need to extract its contents.

1. In the Terminal, ensure that you are in the directory where the .tgz file was downloaded (e.g., ~/Downloads).

2. Type the following command to extract the package: This command extracts the contents of the .tgz file into a new directory named splunk in the current location.

tar -xzvf splunkforwarder-9.2.1-78803f08aabb-darwin-64.tgz

Step 5: Move the Splunkforwarder Directory

To keep your file system organized and make Splunk accessible system-wide, it's recommended to move the extracted splunkforwarder directory to the /Applications directory.

1. In the Terminal, type the following command: This command moves the splunkforwarder directory to the /Applications directory, which is the standard location for installing applications on macOS.

2. You may be prompted to enter your macOS user password to authorize the move operation.

Step 6: Change Ownership of the Splunkforwarder Directory (Optional)

If you created a dedicated "splunk" user earlier, it's a good idea to change the ownership of the Splunk directory to that user. This ensures that the Splunk processes run under the correct user account.

In the Terminal, type the following command: This command changes the ownership of the /Applications/splunkforwarder directory and all its contents to the "splunk" user and the "staff" group.

sudo chown -R splunk:staff /Applications/splunkforwarder

Step 7: Accept the License Agreement and Create an Administrator User for SUF

In this final step, you need to read and accept the license agreement and create a new administrator account for the Universal Forwarder.  To do that switch to user 'splunk' and change the directory to the bin then run 'splunk status' command.

sudo su splunk

cd /Applications/splunkforwarder/bin

./splunk status --accept-license

That's it. This completes the installation of Splunk Universal Forwarder on a Macbook.

You can start the Universal Forwarder as Splunk instances. change the directory to /opt/splunkforwarder/bin then run this command.    

./splunk start

However, please be aware that you just installed the Universal Forwarder,  didn't configure the UF to receive machine data and forward it to the Indexer. You are yet to do that.

Upgrade Splunk Universal Forwarder on Linux and Mac

As your Splunk keeps releasing updates adding new features or fixing flaws, It's important to keep your Splunk Universal Forwarder up to date. In this section, we'll guide you through the process of upgrading the Splunk Universal Forwarder on both Linux and Mac machines.

To upgrade a Splunk Universal Forwarder on Linux or Mac using the tgz installation method, follow these steps:

Step 1: Stop the Universal Forwarder services

Stop the currently running Splunk Universal Forwarder. Open a terminal and navigate to the Splunk Universal Forwarder directory:

- For Linux: cd /opt/splunkforwarder/bin

- For Mac: cd /Applications/SplunkForwarder/bin

Then, run the following command to stop the forwarder:

./splunk stop

Step 2: Take the backup of configuration files

Back up your existing Splunk Universal Forwarder configuration files. It's always a good practice to create a backup before performing an upgrade. You can create a backup by copying the etc directory to a safe location:

- For Linux: cp -R /opt/splunkforwarder/etc /path/to/backup/directory

- For Mac: cp -R /Applications/SplunkForwarder/etc /path/to/backup/directory

Step 3: Download the tgz file for your operating system

Download the new version of the Splunk Universal Forwarder package (tgz) for your respective operating system (Linux or macOS) from the official Splunk website.

Step 4: Extract the tgz file on the installed directory

Extract the new Universal Forwarder package over the existing installation directory:

- For Linux: sudo tar -xvzf splunkforwarder-new-version.tgz -C /opt

- For Mac: sudo tar -xvzf splunkforwarder-new-version.tgz -C /Applications

This will replace the existing files with the new version while preserving your custom configurations.

Step 5: Start the UF services

Start the upgraded Splunk Universal Forwarder:

- For Linux: cd /opt/splunkforwarder/bin && ./splunk start

- For Mac: cd /Applications/SplunkForwarder/bin && ./splunk start

Review the changes and continue the installation when prompted. The Splunk Universal Forwarder will guide you through any necessary steps or migrations.

Step 6: Verify that the services running as expected

Verify that the Splunk Universal Forwarder is functioning properly. Ensure that data is being forwarded as expected.

Remember to review the release notes and documentation provided by Splunk for any specific instructions or considerations related to the version you are upgrading to.

In the next section, we'll discuss how to uninstall the Splunk Universal Forwarder from your Linux and Mac machines, should you need to remove it for any reason.

Uninstall Splunk Universal Forwarder on Linux and Mac

At some point, you may need to uninstall the Splunk Universal Forwarder from your Linux or Mac machines. Whether you're decommissioning a server, restructuring your Splunk environment, or simply no longer require data collection from a specific system, it's crucial to properly uninstall the Universal Forwarder to ensure a clean removal and avoid any lingering files or configurations.

In this section, we'll guide you through the step-by-step process of uninstalling the Splunk Universal Forwarder from both Linux and Mac machines.

Uninstalling Splunk Universal Forwarder on Linux and Mac

1. Open a terminal and stop the Splunk Universal Forwarder if it's currently running:

- For Linux: /opt/splunkforwarder/bin/splunk stop

- For Mac: /Applications/SplunkForwarder/bin/splunk stop

2. Remove the Splunk Universal Forwarder from the system startup:

- For Linux: /opt/splunkforwarder/bin/splunk disable boot-start

- For Mac: /Applications/SplunkForwarder/bin/splunk disable boot-start

3. Delete the Splunk Universal Forwarder directory and all its contents:

- For Linux: sudo rm -rf /opt/splunkforwarder

- For Mac: sudo rm -rf /Applications/SplunkForwarder

4. Remove any remaining Splunk-related files and directories (Optional):

- For Linux:

- sudo rm -rf /var/splunk

- sudo rm -rf /etc/splunk

- For Mac:

- udo rm -rf /var/splunk

- sudo rm -rf /etc/splunk

- sudo rm -rf /Library/LaunchDaemons/com.splunk.*

a. Note: Exercise caution when removing directories like /var/splunk or /etc/splunk, as they may contain valuable data or configurations. Make sure to back up any important files before proceeding.

5. Delete any Splunk-related entries from the system log rotation configuration (Optional):

- For Linux: sudo rm -f /etc/logrotate.d/splunk

- For Mac: sudo rm -f /etc/newsyslog.d/splunk.conf

6. For Linux only (Optional): Remove the Splunk user and group (if they were created specifically for Splunk):

a. sudo userdel splunk

b. sudo groupdel splunk

Your Splunk Universal Forwarder has now been successfully uninstalled from your Linux or Mac machine.

It's important to consider the impact of uninstalling the Splunk Universal Forwarder on your overall Splunk environment and data ingestion pipeline. Uninstalling the forwarder will stop data collection and forwarding from the respective machine, so make sure to plan accordingly.

If you have any custom configurations, deployment apps, or app extensions installed alongside the Universal Forwarder, you may need to remove them separately.

We hope this article helps understand how to install, upgrade, and uninstall Splunk Universal Forwarder on both Linux and Mac.  

That's all for now, we will cover more information about Splunk in the upcoming articles. Please keep visiting thesecmaster.com for more such technical information. Visit our social media page on Facebook, Instagram,  LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive information like this. 

You may also like these articles: