Note: if you’re not running the Universal Forwarder as root, you can specify a
-user argument to this boot-start command to ensure the UF process starts as the correct user. The boot-start command will need to be run as root in order to create the necessary files.
At this point, the Universal Forwarder installation is complete, and you can move on to the next section: Configuring the Deployment Server.
Configuring the Deployment Server
Now that the Universal Forwarder is installed, you’ll want to configure the Universal Forwarder to connect to the deployment server. This allows the Universal Forwarder to retrieve configuration details, such as what log files should be monitored and where the data should be sent to be indexed.
There are three approaches to setting the deployment server that we’ll look at:
- Using the deploy-poll command
- Creating a deploymentclient.conf file
- Configuring a deployment app
To configure the deployment server, you’ll need to know the name of the deployment server and the port for the Splunkd process on the deployment server (which is almost always TCP/8089). I recommend that you configure the deployment server to use a DNS CNAME, such as splunkdeploy.your-fqdn.com, as opposed to specifying the server name directly, as this makes it way easier to update this in the future. For similar reasons, I don’t recommend specifying an IP address for the deployment server, as this becomes potentially even more difficult to update later if needed.
Using the deploy-poll command
The deploy-poll command can be specified as an argument to the splunk executable for creating a deployment app. This effectively creates a deploymentclient.conf file in $SPLUNK_HOME/etc/system/local, which we’ll cover in the next section.
The deploy-poll command requires authentication using the username and password that you created when the Universal Forwarder was installed. If you already forgot that password, you can use one of the other two options below or check out my tutorial on Performing a Splunk Password Reset.
The syntax for the deploy-poll command is as follows:
$SPLUNK_HOME/bin/splunk set deploy-poll <deployment.server.fqdn>:<port>
For example, if you have the Splunk Universal Forwarder installed to /opt/splunkforwarder, and your deployment server is named splunkdeploy.customerscallnow.com using port 8089, you’d run the following command:
/opt/splunkforwarder/bin/splunk set deploy-poll splunkdeploy.customerscallnow.com:8089
You’ll be prompted to enter the username and password for the Universal Forwarder to complete the process.