Skip to content

October 5, 2017

Splunk Universal Forwarder Setup

by Criss Davis

Inside of the Splunk server enable the Splunk listener on port 9997.

download the correct universal forwarder for your device. In this case I am using raspberry pi and used the arm version. Navigate to the directory you downloaded the universal forwarder in and run the following commands to install the forwarder as root, start at boot, and start monitoring the /var/log directory. Change your Server IP address.

sudo tar xzvf splunkforwarder-7.0.0-c8a78efdd40f-Linux-arm.tgz -C /opt
sudo /opt/splunkforwarder/bin/splunk splunk start –answer-yes –no-prompt –accept-license
sudo /opt/splunkforwarder/bin/splunk add forward-server X.X.X.X:9997
sudo /opt/splunkforwarder/bin/splunk add monitor /var/log
sudo /opt/splunkforwarder/bin/splunk restart
sudo /opt/splunkforwarder/bin/splunk enable boot-start


Leave a Reply

%d bloggers like this: