Getting Data In

How can I enable both Splunk server and Splunk Universal Forwarder at boot time?

vincent_deygas
New Member

Hi,

I'm setting up a server with both splunk-server and splunk-universal-forwarder.
When I try to enable the splunk-server service at boot time with this command:

sudo /opt/splunk/bin/splunk enable boot-start -user root

everything is ok and the /etc/init.d/splunk file is created

But when I try to enable the splunk-universal-forwarder service at boot time, I got this output:

sudo /opt/splunkforwarder/bin/splunk enable boot-start -user root
 System start/stop links for /etc/init.d/splunk already exist.
Init script installed at /etc/init.d/splunk.
Init script is configured to run at boot.

And the existing /etc/init.d/splunk file is replaced by the new one.

So in the end, I can only enable one service at a time but I'd like to enable both of them of course.
Thanking you in advance for your help

Regards,
Vincent.

0 Karma
1 Solution

ehudb
Contributor

You cannot and do not need universal forwarder and full instance on the same server.

The full instance can provide full forwarder functionality, so you can use it to collect whatever you need.
Just configure inputs\props or forwarder apps like you would do with universal forwarder.

View solution in original post

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

Hi @vincent_deygas - Looks like you have a few good options below to try. Did any one of the below answers work for you? If yes, please don't forget to click "Accept" before the best answer and up-vote any comments that were helpful. If no, please leave a comment to provide some feedback. Thanks!

0 Karma

mrgibbon
Contributor

Its not a bug, its just the script or both try to create a file in /etc/init.d/ with the same details.

I get around it like this when I have two splunk instances on the same box:

nano /etc/init.d/splunk
edit this line:
"# Provides: splunkd" - Change splunkd to anything else. Useful might be ‘splunkdeploy’
Rename the file
mv /etc/init.d/splunk /etc/init.d/splunkdeploy
set perms to 755 on the script file.
chmod 755 /etc/init.d/splunkdeploy
chkconfig --add splunkdeploy – to fix symbolic links and other magic.

THEN run the second ‘enable boot-start’ command. It should go without a hitch.
sudo /opt/splunksearch/splunk/bin/splunk enable boot-start -user splunksearch

0 Karma

ddrillic
Ultra Champion

Interesting thing. For some reason both commands attempt to create the /etc/init.d/splunk file. Looks like a bug ; -)

0 Karma

ehudb
Contributor

You cannot and do not need universal forwarder and full instance on the same server.

The full instance can provide full forwarder functionality, so you can use it to collect whatever you need.
Just configure inputs\props or forwarder apps like you would do with universal forwarder.

View solution in original post

0 Karma

ddrillic
Ultra Champion

I believe the Splunk Enterprise holds a Heavy Forwarder but not a Universal one. So maybe @vincent_deygas can you the Heavy Forwarder instead...

0 Karma

larryholbert
New Member

Hello, I am new to using this software and just installed Splunk Enterprise and want to monitor events logs from Windows hosts on the network. My question is, is it necessary to install the Universal Forwarder to make this happen? There is a ton of documents out there but it can be very confusing especially when new to the software. Any help would be greatly appreciated.

0 Karma

ehudb
Contributor

Hello
The universal forwarder is acting as an "agnet", it's just collecting local data (events) , and moving them forward to full splunk instance.

You would need 1 splunk full instance and a universal forwarder on each of the desired windows servers (which you want events from)

0 Karma

larryholbert
New Member

thanks for the response ahudb. I have Windows clients that I would like to collect event logs from, If I have a full instance of Splunk Enterprise running on one server, do I need to install the Universal Forwarder on the Splunk Server?

0 Karma

ehudb
Contributor

You do not need to install Universal Forwarder on the Splunk server, but you do need to install it on each Windows client.

0 Karma

larryholbert
New Member

Is there a way to push the universal forwarder out to all clients using Splunk Web? What is the most proficient way to do this?

0 Karma

gjanders
SplunkTrust
SplunkTrust

No, the Splunk deployment server can be used to manage universal forwarder configuration but you will need to use a form of automation to install the Splunk universal forwarder on your various endpoints.

Alerts for Splunk Admins https://splunkbase.splunk.com/app/3796/
Version Control for Splunk https://splunkbase.splunk.com/app/4355/
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!