Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Universal Forwarder installation on remote host

maheshnc
Path Finder
a month ago

We need to install UF on remote application servers (linux/windows) but as a splunk admin, I don't have direct access (ssh/rdp) to these servers, in such case how can I proceed with UF installation on these servers? Also, how to decide UF version to be installed on these servers?

Labels (1)
Labels
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
a month ago

Hi @maheshnc 

As @PickleRick  said, you will need some way of getting the UF installation onto the remote server, this will ultimately depend on your organisation, scale, policies etc.

Some potential options for you that I've experienced before:

  1. Work with Server Owners - PRovide the UF installation package and deployment instructions to the server administrators and/or share deployment scripts that can be executed by local admins

  2. Use Deployment Management Tools - If there are existing enterprise deployment tools such as Ansible, Puppet, Terraform) then leverage these - this could be by raising a change to their Git codebase to get the UFs installed, this is often something you might see in large environments.

  3. Request Temporary Access - Request temporary admin access through change management processes to install manually.

Once deployed, configure them to connect to your Deployment Server and use the DS to push out any configurations to manage the UFs as this handles ongoing configuration management without needing server access.

Regarding the version to deploy, this might depend on your organisation's policy around maintaining software versions however check out https://help.splunk.com/en/splunk-enterprise/release-notes-and-updates/compatibility-matrix/splunk-p... for a matrix of version compatibility.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

maheshnc
Path Finder
a month ago

So, in this case, can I download the installer and upload it to the onedrive and then ask Application team to copy it to the remote server and install, once installed then configure the inputs.conf, outputs.conf and deploymentclient.conf?

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
a month ago

Basically yes.

I do it like:

There some differences between SCP and Splunk Enterprise!

  1. outputs.conf

    1. SCP: Copy Splunk Universal Forwarder package from stack e.g. https://<STACK NAME>.splunkcloud.com/en-GB/app/splunkclouduf/setupuf (Download Universal Forwarder Credentials)

    2. Splunk Enterprise: Create / update / check Customer’s zzz_base_lnx_uf or zzz_base_win_uf configuration from GIT. There could be several if there are several environments and/or several target where clients are sending events.

  2. DS definitions

    1. Create / update / check Customer’s zzz_base_ds_uf configuration from GIT. There could be several if there are several environments and/or several DS defined.

  3. Copy msi for UF and base uf module to target node or whatever you are using for install it

  4. Next

     
    msiexec.exe /i <path to temp>/splunkforwarder-<XXXXX>-x64-release.msi AGREETOLICENSE=yes LAUNCHSPLUNK=no SERVICESTARTTYPE=auto /quiet /l*v install-log.txt

  5. Add correct UF package under etc\apps\ (both DS and UF packages).

  6. Start SplunkForwarder service

After that you should have connections between UF and DS and UF and indexers. Then you can see UF's internal logs from your normal SH and also check and modify UF's inputs on DS side.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
a month ago

One more comment about the configuration to connect your indexers or DS.

Depending on how you install your configurations on those systems you must have almost always some configuration package to install with first time binary installation. In minimum this is package (splunk app) that contains information and needed certs to connect to Your Splunk Indexers. This apply if you are installing your collection apps via GPO, Ansible, manually or some other configuration tool. If you are using DS (deployment server) to deliver app configuration then you must install also DS client package into those UFs. Then just us DS as normally is used to deliver other packages.

In that way you can see immediately, after UFs has installed and configured to configure your system, internal logs from those new UF. If/when you have configure some alerts for unknown logs then you can react and continue with onboarding process as planned.

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
a month ago

Hi @maheshnc ,

as @PickleRick said it's really difficoult to install an UF without accessing the remote server, the only way is, on Windows using Group Policy Server, but I cannot help you because you n eed a Windows specialist, or a Software distribution server, like Ansible, and use it, but anyway, Ansible uses SSH and RDP to install packages on a remote system.

About the version to install, you should identify the last certified version for you Operative System on https://www.splunk.com/en_us/download/universal-forwarder.html .

In addition it depends on the version of other installed Splunk: the Universal Forwarder version must be the same or lower than the following Splunk Server, in other words, if you have an Indexer 9.4.1, the higher version you can use is 9.4.1 depending on the Operative System of the machine.

Ciao.

Giuseppe

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
a month ago

You can't install something on a server without access to that server. That would be a severe security vulnerability if you could. UF deployment is something you usually work on with the local (un)friendly admin team. On a small scale it can be done manually, in bigger environments it's usually either scripted and pushed from GPO or deployed using another enpoint managing software. The UF may also be bundled in a standard deployment image for the OS. It's all to be discussed with the OS admins.

0 Karma
Reply

maheshnc
Path Finder
a month ago

I need to install it on few number of servers, could you please explain what steps I need to follow to get it installed with the help of server team manually for windows and linux machine?

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...