When downloading a Universal Forwarder, pay attention to the versions of Windows that are supported by the package. For example, newer versions of the Universal Forwarder, such as 8.1.x, don’t support older versions of Windows server, such as Windows Server 2012 or Windows Server 2012 R2.
If you’re a Hurricane Labs Managed Splunk Services customer, our support team can advise you on what packages are best suited for your environment and provide the MSI if you don’t have a Splunk account available.
Gather Required Information
When installing this, there are two options: one is using the MSI with arguments, and the other is using the GUI installer. In order to proceed with either option, you’ll want to first have the following information:
- Deployment Server: This is the host in your Splunk environment that manages configuration on all of your universal forwarders. This should be a DNS CNAME whenever possible to make future updates or server migrations easier. We do not recommend specifying the IP address of a deployment server when applying this configuration.
- Username and password: This should be a unique username and password that will be configured on the Universal Forwarder and used in the event of any configuration changes or troubleshooting needed in the future. In versions of Splunk preceding 7.1, this was automatically set to admin/changeme, but this is now a required parameter due to security concerns around a default password.
Using the MSI Installation
For most clients, using the MSI installer with arguments makes the most sense. You can do the deployment via the MSI with some configuration flags. The installation arguments for the MSI are detailed in the Splunk documentation.
You’ll want to use the following arguments on this install:
With all of these set the /quiet flag should also work.
For example, the following msiexec command would install the universal forwarder to connect to the deployment server of ccnproddeploy01.customerscallnow.com and set a username and password.