Are you try getting data from a Linux or Mac machines to your Splunk Indexer or Search Head? You are at the right place. We will help you deploying the Universal Forwarder on your Linux or Mac machines. The Splunk Universal Forwarder is a lightweight agent that allows you to efficiently gather and forward data from various sources to your Splunk indexers.
In this tutorial, we will guide you through the step-by-step process of installing, upgrading, and uninstalling the Universal Forwarder on both Linux and Mac operating systems. Whether you're a Splunk administrator or a curious IT professional, this post will provide you with the knowledge and confidence to successfully deploy the Universal Forwarder in your environment.
We'll cover the necessary prerequisites, download and installation steps, configuration tips, and best practices to ensure a smooth and effective deployment. By the end of this tutorial, you'll be well-equipped to harness the power of the Splunk Universal Forwarder on your Linux and Mac machines. Let's get started!
Before we dive into the deployment process, let's take a moment to understand what Splunk Universal Forwarders (UFs) are and when you should use them. Splunk Universal Forwarders are lightweight agents designed to efficiently collect and forward data from various sources to your Splunk indexers. They play a crucial role in expanding your data collection capabilities and ensuring that valuable machine data is easily accessible for analysis and insights.
So, where can you download the Splunk Universal Forwarder? The Universal Forwarder is available for download from the official Splunk website. Splunk provides support for a wide range of platforms, including Linux, Windows, macOS, and more. Whether you're running a Linux server or a Mac workstation, you can easily find the appropriate Universal Forwarder package for your operating system.
Now, you might be wondering when you should use Universal Forwarders. The answer is simple: whenever you need to collect data from remote systems and forward it to your Splunk indexers. Universal Forwarders are particularly useful in scenarios where you have multiple machines or endpoints that generate valuable machine data. By deploying Universal Forwarders on these systems, you can efficiently collect and centralize the data for analysis and monitoring purposes.
Universal Forwarders are ideal for scenarios where you need to collect and forward log data from multiple sources to a central Splunk instance. Here are some common use cases:
When managing a large number of servers or endpoints across different locations.
For collecting logs from various applications, services, and systems in a centralized manner.
To gather and forward security-related data such as system logs, audit logs, and application logs to a central Splunk instance for analysis.
To collect performance metrics from servers, applications, and network devices.
By leveraging Universal Forwarders, you can streamline your data collection process, reduce the load on your indexers, and ensure that your Splunk environment has access to a comprehensive set of machine data for analysis and insights.
Now that you have a solid understanding of what Splunk Universal Forwarders (UF) are and when to use them, let's dive into the installation process. In this section, we'll walk you through the step-by-step procedure to install the Splunk Universal Forwarder on both Linux and Mac machines using tgz file. This is a universal installation method you can use it on any Linux distributions.
Prerequisites
Before you begin, ensure you have the following:
A Linux machine with sudo privileges
An active Splunk account to download the Universal Forwarder
A static IP address configured to the primary interface
Well, It is optional to create a dedicated user, however, it is a recommended options because, it helps to isolate Splunk's processes and enhances security. So, let's create a user 'splunk' and set a password. Don't forget the user 'splunk' to add the 'sudoers' group too.
sudo adduser splunk
1. Go to the Splunk Universal Forwarder download page. (Login may required to access the download page.)
2. Select the appropriate Linux version (e.g., 64-bit .tgz for Linux).
3. Download the package by copying the provided wget command.
cd /opt/
wget -O splunkforwarder-9.2.1-78803f08aabb-Linux-x86_64.tgz "https://download.splunk.com/products/universalforwarder/releases/9.2.1/linux/splunkforwarder-9.2.1-78803f08aabb-Linux-x86_64.tgz"
Note: At the time we wrote this article, v9.2.1 was the latest released version. You might see a different version depending on the time you download.
Switch the user to 'splunk' and change the user and group permissions of the tgz file from root to 'splunk' using the chown command.
su splunk
sudo chown splunk:splunk /opt/splunkforwarder-9.2.1-78803f08aabb-Linux-x86_64.tgz
1. Open your terminal and navigate to the directory where you downloaded the package.
2. Extract the package using the following command:
sudo tar -xvzf splunkforwarder-9.2.1-78803f08aabb-Linux-x86_64.tgz
Change the extracted directory permission to user and group 'splunk' as shown in the picture.
sudo chown -R splunk:splunk /opt/splunkforwarder
In this final step, you need to read and accept the license agreement and create a new administrator account for the Universal Forwarder. To do that change the directory to the bin then run 'splunk status' command.
cd /opt/splunkforwarder/bin
./splunk status --accept-license
As soon as you enter the .splunk status command, License agreement will appear. Scroll to the down accept entering 'y'.
As soon as you accept the license agreement Splunk asks to create the admin user.
That's it. This completes the installation of Splunk Universal Forwarder on a Linux machine.
You can start the Universal Forwarder as Splunk instances. change the directory to /opt/splunkforwarder/bin then run this command.
./splunk start
However, please be aware that you just installed the Universal Forwarder, didn't configure the UF to receive machine data and forward it to the Indexer. You are yet to do that.
Prerequisites
Before you begin, ensure you have the following:
A Mac machine with administrator access
An active Splunk account to download the Universal Forwarder
A static IP address configured to the primary interface
To download and install Splunk UF, you will need to use the Terminal application on your Mac.
1. Open the Terminal application. You can find it in the "Applications" folder under "Utilities" or by using Spotlight search (press Command + Space and type "Terminal").
2. Once the Terminal window opens, navigate to the directory where you want to download the Splunk package. You can use the cd
command followed by the directory path. For example, to navigate to the Downloads folder, type:
cd ~/Downloads
Press Enter to execute the command and change the current directory.
Now that you are in the desired download directory, you can use the 'curl' utility to download the Splunk package.
curl -0 --output splunkforwarder-9.2.1-78803f08aabb-darwin-64.tgz "https://download.splunk.com/products/universalforwarder/releases/9.2.1/osx/splunkforwarder-9.2.1-78803f08aabb-darwin-64.tgz"
Note: At the time we wrote this article, v9.2.1 was the latest released version. You might see a different version depending on the time you download.
Well, It is optional to create a dedicated user, however, it is a recommended option because it helps to isolate Splunk's processes and enhances security. To create a new user, follow these steps:
In the Terminal, type the following commands, pressing Enter after each line: These commands create a new user account named "splunk" with a home directory. /Users/splunk
sudo dscl . -create /Users/splunk
sudo dscl . -create /Users/splunk UserShell /bin/bash
sudo dscl . -create /Users/splunk RealName "Splunk User"
sudo dscl . -create /Users/splunk UniqueID 1001
sudo dscl . -create /Users/splunk PrimaryGroupID 1001
sudo dscl . -create /Users/splunk NFSHomeDirectory /Users/splunk
Set a password for the newly created user by typing: You will be prompted to enter and confirm the password.
sudo dscl . -passwd /Users/splunk
Now that you have downloaded the Splunk package, you need to extract its contents.
1. In the Terminal, ensure that you are in the directory where the .tgz file was downloaded (e.g., ~/Downloads
).
2. Type the following command to extract the package: This command extracts the contents of the .tgz file into a new directory named splunk
in the current location.
tar -xzvf splunkforwarder-9.2.1-78803f08aabb-darwin-64.tgz
To keep your file system organized and make Splunk accessible system-wide, it's recommended to move the extracted splunkforwarder
directory to the /Applications
directory.
1. In the Terminal, type the following command: This command moves the splunkforwarder
directory to the /Applications
directory, which is the standard location for installing applications on macOS.
2. You may be prompted to enter your macOS user password to authorize the move operation.
If you created a dedicated "splunk" user earlier, it's a good idea to change the ownership of the Splunk directory to that user. This ensures that the Splunk processes run under the correct user account.
In the Terminal, type the following command: This command changes the ownership of the /Applications/splunkforwarder
directory and all its contents to the "splunk" user and the "staff" group.
sudo chown -R splunk:staff /Applications/splunkforwarder
In this final step, you need to read and accept the license agreement and create a new administrator account for the Universal Forwarder. To do that switch to user 'splunk' and change the directory to the bin then run 'splunk status' command.
sudo su splunk
cd /Applications/splunkforwarder/bin
./splunk status --accept-license
That's it. This completes the installation of Splunk Universal Forwarder on a Macbook.
You can start the Universal Forwarder as Splunk instances. change the directory to /opt/splunkforwarder/bin then run this command.
./splunk start
However, please be aware that you just installed the Universal Forwarder, didn't configure the UF to receive machine data and forward it to the Indexer. You are yet to do that.
As your Splunk keeps releasing updates adding new features or fixing flaws, It's important to keep your Splunk Universal Forwarder up to date. In this section, we'll guide you through the process of upgrading the Splunk Universal Forwarder on both Linux and Mac machines.
To upgrade a Splunk Universal Forwarder on Linux or Mac using the tgz installation method, follow these steps:
Stop the currently running Splunk Universal Forwarder. Open a terminal and navigate to the Splunk Universal Forwarder directory:
- For Linux: cd /opt/splunkforwarder/bin
- For Mac: cd /Applications/SplunkForwarder/bin
Then, run the following command to stop the forwarder:
./splunk stop
Back up your existing Splunk Universal Forwarder configuration files. It's always a good practice to create a backup before performing an upgrade. You can create a backup by copying the etc
directory to a safe location:
- For Linux: cp -R /opt/splunkforwarder/etc /path/to/backup/directory
- For Mac: cp -R /Applications/SplunkForwarder/etc /path/to/backup/directory
Download the new version of the Splunk Universal Forwarder package (tgz) for your respective operating system (Linux or macOS) from the official Splunk website.
Extract the new Universal Forwarder package over the existing installation directory:
- For Linux: sudo tar -xvzf splunkforwarder-new-version.tgz -C /opt
- For Mac: sudo tar -xvzf splunkforwarder-new-version.tgz -C /Applications
This will replace the existing files with the new version while preserving your custom configurations.
Start the upgraded Splunk Universal Forwarder:
- For Linux: cd /opt/splunkforwarder/bin && ./splunk start
- For Mac: cd /Applications/SplunkForwarder/bin && ./splunk start
Review the changes and continue the installation when prompted. The Splunk Universal Forwarder will guide you through any necessary steps or migrations.
Verify that the Splunk Universal Forwarder is functioning properly. Ensure that data is being forwarded as expected.
Remember to review the release notes and documentation provided by Splunk for any specific instructions or considerations related to the version you are upgrading to.
In the next section, we'll discuss how to uninstall the Splunk Universal Forwarder from your Linux and Mac machines, should you need to remove it for any reason.
At some point, you may need to uninstall the Splunk Universal Forwarder from your Linux or Mac machines. Whether you're decommissioning a server, restructuring your Splunk environment, or simply no longer require data collection from a specific system, it's crucial to properly uninstall the Universal Forwarder to ensure a clean removal and avoid any lingering files or configurations.
In this section, we'll guide you through the step-by-step process of uninstalling the Splunk Universal Forwarder from both Linux and Mac machines.
1. Open a terminal and stop the Splunk Universal Forwarder if it's currently running:
- For Linux: /opt/splunkforwarder/bin/splunk stop
- For Mac: /Applications/SplunkForwarder/bin/splunk stop
2. Remove the Splunk Universal Forwarder from the system startup:
- For Linux: /opt/splunkforwarder/bin/splunk disable boot-start
- For Mac: /Applications/SplunkForwarder/bin/splunk disable boot-start
3. Delete the Splunk Universal Forwarder directory and all its contents:
- For Linux: sudo rm -rf /opt/splunkforwarder
- For Mac: sudo rm -rf /Applications/SplunkForwarder
4. Remove any remaining Splunk-related files and directories (Optional):
- For Linux:
- sudo rm -rf /var/splunk
- sudo rm -rf /etc/splunk
- For Mac:
- udo rm -rf /var/splunk
- sudo rm -rf /etc/splunk
- sudo rm -rf /Library/LaunchDaemons/com.splunk
.*
a. Note: Exercise caution when removing directories like /var/splunk
or /etc/splunk
, as they may contain valuable data or configurations. Make sure to back up any important files before proceeding.
5. Delete any Splunk-related entries from the system log rotation configuration (Optional):
- For Linux: sudo rm -f /etc/logrotate.d/splunk
- For Mac: sudo rm -f /etc/newsyslog.d/splunk.conf
6. For Linux only (Optional): Remove the Splunk user and group (if they were created specifically for Splunk):
a. sudo userdel splunk
b. sudo groupdel splunk
Your Splunk Universal Forwarder has now been successfully uninstalled from your Linux or Mac machine.
It's important to consider the impact of uninstalling the Splunk Universal Forwarder on your overall Splunk environment and data ingestion pipeline. Uninstalling the forwarder will stop data collection and forwarding from the respective machine, so make sure to plan accordingly.
If you have any custom configurations, deployment apps, or app extensions installed alongside the Universal Forwarder, you may need to remove them separately.
We hope this article helps understand how to install, upgrade, and uninstall Splunk Universal Forwarder on both Linux and Mac.
That's all for now, we will cover more information about Splunk in the upcoming articles. Please keep visiting thesecmaster.com for more such technical information. Visit our social media page on Facebook, Instagram, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive information like this.
You may also like these articles:
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”
"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.
BurpGPT is a cutting-edge Burp Suite extension that harnesses the power of OpenAI's language models to revolutionize web application security testing. With customizable prompts and advanced AI capabilities, BurpGPT enables security professionals to uncover bespoke vulnerabilities, streamline assessments, and stay ahead of evolving threats.
PentestGPT, developed by Gelei Deng and team, revolutionizes penetration testing by harnessing AI power. Leveraging OpenAI's GPT-4, it automates and streamlines the process, making it efficient and accessible. With advanced features and interactive guidance, PentestGPT empowers testers to identify vulnerabilities effectively, representing a significant leap in cybersecurity.
Tenable BurpGPT is a powerful Burp Suite extension that leverages OpenAI's advanced language models to analyze HTTP traffic and identify potential security risks. By automating vulnerability detection and providing AI-generated insights, BurpGPT dramatically reduces manual testing efforts for security researchers, developers, and pentesters.
Microsoft Security Copilot is a revolutionary AI-powered security solution that empowers cybersecurity professionals to identify and address potential breaches effectively. By harnessing advanced technologies like OpenAI's GPT-4 and Microsoft's extensive threat intelligence, Security Copilot streamlines threat detection and response, enabling defenders to operate at machine speed and scale.