Skip to content

October 5, 2017

Splunk Universal Forwarder Setup

by Criss Davis

Inside of the Splunk server enable the Splunk listener on port 9997.

download the correct universal forwarder for your device. In this case I am using raspberry pi and used the arm version. Navigate to the directory you downloaded the universal forwarder in and run the following commands to install the forwarder as root, start at boot, and start monitoring the /var/log directory. Change your Server IP address.

sudo tar xzvf splunkforwarder-7.0.0-c8a78efdd40f-Linux-arm.tgz -C /opt
sudo /opt/splunkforwarder/bin/splunk splunk start –answer-yes –no-prompt –accept-license
sudo /opt/splunkforwarder/bin/splunk add forward-server X.X.X.X:9997
sudo /opt/splunkforwarder/bin/splunk add monitor /var/log
sudo /opt/splunkforwarder/bin/splunk restart
sudo /opt/splunkforwarder/bin/splunk enable boot-start

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Note: HTML is allowed. Your email address will never be published.

Subscribe to comments

%d bloggers like this: