Hi,
I'm setting up a server with both splunk-server and splunk-universal-forwarder.
When I try to enable the splunk-server service at boot time with this command:
sudo /opt/splunk/bin/splunk enable boot-start -user root
everything is ok and the /etc/init.d/splunk file is created
But when I try to enable the splunk-universal-forwarder service at boot time, I got this output:
sudo /opt/splunkforwarder/bin/splunk enable boot-start -user root
System start/stop links for /etc/init.d/splunk already exist.
Init script installed at /etc/init.d/splunk.
Init script is configured to run at boot.
And the existing /etc/init.d/splunk file is replaced by the new one.
So in the end, I can only enable one service at a time but I'd like to enable both of them of course.
Thanking you in advance for your help
Regards,
Vincent.
You cannot and do not need universal forwarder and full instance on the same server.
The full instance can provide full forwarder functionality, so you can use it to collect whatever you need.
Just configure inputs\props or forwarder apps like you would do with universal forwarder.
Hi @vincent_deygas - Looks like you have a few good options below to try. Did any one of the below answers work for you? If yes, please don't forget to click "Accept" before the best answer and up-vote any comments that were helpful. If no, please leave a comment to provide some feedback. Thanks!
Its not a bug, its just the script or both try to create a file in /etc/init.d/ with the same details.
I get around it like this when I have two splunk instances on the same box:
nano /etc/init.d/splunk
edit this line:
"# Provides: splunkd" - Change splunkd to anything else. Useful might be ‘splunkdeploy’
Rename the file
mv /etc/init.d/splunk /etc/init.d/splunkdeploy
set perms to 755 on the script file.
chmod 755 /etc/init.d/splunkdeploy
chkconfig --add splunkdeploy – to fix symbolic links and other magic.
THEN run the second ‘enable boot-start’ command. It should go without a hitch.
sudo /opt/splunksearch/splunk/bin/splunk enable boot-start -user splunksearch
Interesting thing. For some reason both commands attempt to create the /etc/init.d/splunk
file. Looks like a bug ; -)
You cannot and do not need universal forwarder and full instance on the same server.
The full instance can provide full forwarder functionality, so you can use it to collect whatever you need.
Just configure inputs\props or forwarder apps like you would do with universal forwarder.
I believe the Splunk Enterprise holds a Heavy Forwarder but not a Universal one. So maybe @vincent_deygas can you the Heavy Forwarder instead...
Hello, I am new to using this software and just installed Splunk Enterprise and want to monitor events logs from Windows hosts on the network. My question is, is it necessary to install the Universal Forwarder to make this happen? There is a ton of documents out there but it can be very confusing especially when new to the software. Any help would be greatly appreciated.
Hello
The universal forwarder is acting as an "agnet", it's just collecting local data (events) , and moving them forward to full splunk instance.
You would need 1 splunk full instance and a universal forwarder on each of the desired windows servers (which you want events from)
thanks for the response ahudb. I have Windows clients that I would like to collect event logs from, If I have a full instance of Splunk Enterprise running on one server, do I need to install the Universal Forwarder on the Splunk Server?
You do not need to install Universal Forwarder on the Splunk server, but you do need to install it on each Windows client.
Is there a way to push the universal forwarder out to all clients using Splunk Web? What is the most proficient way to do this?
No, the Splunk deployment server can be used to manage universal forwarder configuration but you will need to use a form of automation to install the Splunk universal forwarder on your various endpoints.