Splunk Cloud Platform

Install Universal Forwarder Credentials on Windows

kymkin
Engager

Hi, I've been trying to follow the documentation to install the credentials for Windows for Universal Forwarder. It's been a nightmare to say the least. The documentation is rather confusing. I ran the wget command to install the universal forwarder. I used

msiexec.exe /i splunkuniversalforwarder_x86.msi RECEIVING_INDEXER="indexer1:9997" WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 AGREETOLICENSE=Yes /quiet

to install and agree to the license. Now I'm stuck. I've tried following the example. Used  C:\ProgramFiles\splunkuniversalforwarder\bin\splunk.exe install app C:\Users\Ryzen5\Downloads\splunkclouduf.spl to run the file for the credentials and I'm getting errors. I tried several variations and nothing is working. I don't know if I am missing something that is glaringly obvious. Any help would be  appreciated. I followed this https://docs.splunk.com/Documentation/Forwarder/8.2.0/Forwarder/InstallaWindowsuniversalforwarderfro... for the installation and I TRIED following the windows instructions from here https://docs.splunk.com/Documentation/Forwarder/9.1.2/Forwarder/ConfigSCUFCredentials.

Labels (2)
0 Karma

azteksites
Explorer

@kymkin 

I'm not exactly sure where the install is failing for you, but I can tell you the additional parameters I've successfully used for my install script.

  1. Adding the directory of the forwarder program file location. (i.e., C:\ or D:\ drive before the .msi file name)
  2. INSTALLDIR_ parameter (determines where install location of the UF program)
  3. I add the the license agreement parameter prior to the log collection parameters. Not sure if this actually changes the install process or not.
  4. SPLUNKUSERNAME/SPLUNKPASSWORD parameters to set your own admin credentials.
  5. /passive end flag (instead of quiet). This is essentially a quiet installation with a progress display.

Hope this helps.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...