topic Re: Universal Forwarder installation on remote host in Getting Data In

Universal Forwarder installation on remote host

maheshnc — Sat, 04 Oct 2025 09:08:54 GMT

We need to install UF on remote application servers (linux/windows) but as a splunk admin, I don't have direct access (ssh/rdp) to these servers, in such case how can I proceed with UF installation on these servers? Also, how to decide UF version to be installed on these servers?

Re: Universal Forwarder installation on remote host

PickleRick — Sat, 04 Oct 2025 09:18:11 GMT

You can't install something on a server without access to that server. That would be a severe security vulnerability if you could. UF deployment is something you usually work on with the local (un)friendly admin team. On a small scale it can be done manually, in bigger environments it's usually either scripted and pushed from GPO or deployed using another enpoint managing software. The UF may also be bundled in a standard deployment image for the OS. It's all to be discussed with the OS admins.

Re: Universal Forwarder installation on remote host

maheshnc — Sat, 04 Oct 2025 09:35:29 GMT

I need to install it on few number of servers, could you please explain what steps I need to follow to get it installed with the help of server team manually for windows and linux machine?

Re: Universal Forwarder installation on remote host

PickleRick — Sat, 04 Oct 2025 09:54:28 GMT

https://help.splunk.com/en/splunk-enterprise/forward-and-process-data/universal-forwarder-manual/10.0/install-the-universal-forwarder

Re: Universal Forwarder installation on remote host

gcusello — Sun, 05 Oct 2025 08:09:20 GMT

Hi @maheshnc ,

as @PickleRick said it's really difficoult to install an UF without accessing the remote server, the only way is, on Windows using Group Policy Server, but I cannot help you because you n eed a Windows specialist, or a Software distribution server, like Ansible, and use it, but anyway, Ansible uses SSH and RDP to install packages on a remote system.

About the version to install, you should identify the last certified version for you Operative System on https://www.splunk.com/en_us/download/universal-forwarder.html .

In addition it depends on the version of other installed Splunk: the Universal Forwarder version must be the same or lower than the following Splunk Server, in other words, if you have an Indexer 9.4.1, the higher version you can use is 9.4.1 depending on the Operative System of the machine.

Ciao.

Giuseppe

Re: Universal Forwarder installation on remote host

livehybrid — Sun, 05 Oct 2025 09:39:22 GMT

Hi @maheshnc

As @PickleRick said, you will need some way of getting the UF installation onto the remote server, this will ultimately depend on your organisation, scale, policies etc.

Some potential options for you that I've experienced before:

Work with Server Owners - PRovide the UF installation package and deployment instructions to the server administrators and/or share deployment scripts that can be executed by local admins
Use Deployment Management Tools - If there are existing enterprise deployment tools such as Ansible, Puppet, Terraform) then leverage these - this could be by raising a change to their Git codebase to get the UFs installed, this is often something you might see in large environments.
Request Temporary Access - Request temporary admin access through change management processes to install manually.

Once deployed, configure them to connect to your Deployment Server and use the DS to push out any configurations to manage the UFs as this handles ongoing configuration management without needing server access.

Regarding the version to deploy, this might depend on your organisation's policy around maintaining software versions however check out https://help.splunk.com/en/splunk-enterprise/release-notes-and-updates/compatibility-matrix/splunk-products-version-compatibility/compatibility-between-forwarders-and-splunk-enterprise-indexers for a matrix of version compatibility.

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Re: Universal Forwarder installation on remote host

isoutamo — Sun, 05 Oct 2025 13:25:20 GMT

One more comment about the configuration to connect your indexers or DS.

Depending on how you install your configurations on those systems you must have almost always some configuration package to install with first time binary installation. In minimum this is package (splunk app) that contains information and needed certs to connect to Your Splunk Indexers. This apply if you are installing your collection apps via GPO, Ansible, manually or some other configuration tool. If you are using DS (deployment server) to deliver app configuration then you must install also DS client package into those UFs. Then just us DS as normally is used to deliver other packages.

In that way you can see immediately, after UFs has installed and configured to configure your system, internal logs from those new UF. If/when you have configure some alerts for unknown logs then you can react and continue with onboarding process as planned.

Re: Universal Forwarder installation on remote host

maheshnc — Mon, 06 Oct 2025 10:27:46 GMT

So, in this case, can I download the installer and upload it to the onedrive and then ask Application team to copy it to the remote server and install, once installed then configure the inputs.conf, outputs.conf and deploymentclient.conf?

Re: Universal Forwarder installation on remote host

isoutamo — Mon, 06 Oct 2025 14:10:54 GMT

Basically yes.

I do it like:

There some differences between SCP and Splunk Enterprise!

outputs.conf
1. SCP: Copy Splunk Universal Forwarder package from stack e.g. https://<STACK NAME>.splunkcloud.com/en-GB/app/splunkclouduf/setupuf (Download Universal Forwarder Credentials)
2. Splunk Enterprise: Create / update / check Customer’s zzz_base_lnx_uf or zzz_base_win_uf configuration from GIT. There could be several if there are several environments and/or several target where clients are sending events.
DS definitions
1. Create / update / check Customer’s zzz_base_ds_uf configuration from GIT. There could be several if there are several environments and/or several DS defined.
Copy msi for UF and base uf module to target node or whatever you are using for install it
Next

msiexec.exe /i <path to temp>/splunkforwarder-<XXXXX>-x64-release.msi AGREETOLICENSE=yes LAUNCHSPLUNK=no SERVICESTARTTYPE=auto /quiet /l*v install-log.txt
Add correct UF package under etc\apps\ (both DS and UF packages).
Start SplunkForwarder service

After that you should have connections between UF and DS and UF and indexers. Then you can see UF's internal logs from your normal SH and also check and modify UF's inputs on DS side.