How can I install Splunk universal forwarder on Linux?

Below are the instructions for Splunk universal forwarder installation on Linux:

Linux Install: Should be done as root.
Download installation files from: https://uofi.box.com/v/splunk

Adapted from:

Create the and configure the splunk user account

  1. adduser splunk 
  2. usermod -aG wheel splunk
  3. passwd splunk  <== not necessary, unless you wish to directly login as splunk rather than escalate privileges

Download and install Splunk forwarder

  1. cd /opt/
  2. wget -O splunkforwarder-7.1.2-a0c72a66db66-Linux-x86_64.tgz 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.1.2&product=universalforwarder&filename=splunkforwarder-7.1.2-a0c72a66db66-Linux-x86_64.tgz&wget=true'
  3. tar -xvf splunkforwarder-7.1.2-a0c72a66db66-Linux-x86_64.tgz -C /opt/
  4. chown -R splunk:splunk splunkforwarder
  5. setfacl -R -m  d:splunk:rwX /var/log/
  6. setfacl -R -m u:splunk:rwX /var/log
  7. su - splunk
  8. /opt/splunkforwarder/bin/splunk start --accept-license
Output:

 
This appears to be your first time running this version of Splunk.

Create credentials for the administrator account.
Characters do not appear on the screen when you type the password.
Password must contain at least:
   * 8 total printable ASCII characters(s).
Please enter a new password:   <== password is independent of the splunk account password.


After verifying installation was successful, enable boot start, again as root. 

1. /opt/splunkforwarder/bin/splunk stop
2. /opt/splunkforwarder/bin/splunk enable boot-start -user splunk      

Output:


Init script installed at /etc/init.d/splunk.
Init script is configured to run at boot.


Install UIC Splunk deployment client app:

  1. Visit https://uofi.box.com/v/splunk
  2. Transfer UIC_ALL_deploymentclient folder to /opt/splunkforwarder/etc/apps/
  3. chown -R splunk:splunk /opt/splunkforwarder
  4. /opt/splunkforwarder/bin/splunk start

Verify service is running as splunk user:

  1. ps -ef | grep splunk

Configure Firewall Rules

Open firewall ports for splunk 8089/tcp to splunk-deployment.server.uic.edu (131.193.68.94) and indexer-sas.splunk.uic.edu (indexer.cc.uic.edu) (128.248.155.23).




Keywords:splunkforwarder, installation files, Tar file installation   Doc ID:86156
Owner:Mike K.Group:University of Illinois at Chicago ACCC
Created:2018-10-01 10:07 CSTUpdated:2019-08-28 14:28 CST
Sites:University of Illinois at Chicago ACCC
Feedback:  0   0