Hi @dordavid,
as @isoutamo said, it isn't possible to install or update a Universal forwarder from a Splunk server, but it's possible to push configurations to UFs.
To do this, you have to configure in your UFs a file (called deploymentclient.conf) where's the address of the Deployment Server, a Splunk server with the role to check and push configurations to UFs.
Deployment server must be a dedicated server if it has to manage more than 50 UFs, otherwise it can share this role with another one, but not Master Node, Indexer or Search Head.
So, you don't see any UF in your Master Node because you didin't configured deploymentclient.conf in UFs.
At the end: the correct approach to manage UFs is the following:
- plan your deployment listing all the servers to manage with Deployment server and identifying for each the apps to deploy;
- check that all the firewall routes are open between:
- UFs and Deployment Server on port 8089,
- UFs and Indexers and Master Node on port 9997;
- install a Deployment Server, possibly on a dedicated server,
- install Universal Forwarder on the target servers;
- create a Technical Add-On (called e.g. TA_Forwarders) containing two files (deploymentclient.conf and outputs.conf):
- in the first put the address of the Deployment Server,
- in the second the addresses of the indexers or of the Master Node);
- copy the TA_forwarders in every target server in $SPLUNK_HOME/etc/apps;
- restart Splunk in every targer server.
In this way, you'll be able to see in [Settings -- Forwarder Management] all the UFs and at this point you'll be able to create the ServerClasses to deploy configurations to UFs.
You can find a guide to the above steps at https://docs.splunk.com/Documentation/Splunk/8.0.5/Updating/Aboutdeploymentserver (read carefully these pages before to start!).
Ciao.
Giuseppe
