Install the Splunk Universal Forwarder

You can install the Splunk Universal Forwarder on your

  • Endpoints
  • Windows Event Collector node

The installation is largely the same. Differences are explained in the installation steps, where applicable.

You can receive events from the Endpoint Privilege Management Reporting database.

For more information, see Install the Splunk DB Connect Application.

Install Splunk Universal Forwarder

The Splunk Universal Forwarder can be used to collect data from your endpoints.

You can download the forwarder from Splunk: https://www.splunk.com/en_us/download/universal-forwarder.html.

To Install the Splunk Universal Forwarder:

  1. Double-click the Splunk Universal Forwarder installer.

Splunk Universal Forwarder default installation options

  1. Check the box at the top of the Setup dialog box to accept the license agreement.

 

  1. Click Customize Options.
  2. Use the default installation location and click Next.
  3. You can use an SSL certificate to encrypt the events you send to Splunk. Please follow the instructions to do this. Click Next.
  4. If installing the Splunk Universal Forwarder on the endpoint, leave the default as Local System. Splunk only needs to see events from that machine, rather than remotely. Click Next.
  5. If installing the Splunk Universal Forwarder on the Windows Event Collector node, check the Forwarded Events box to send all the forwarded events to Splunk Enterprise. Click Next.

In the next section you can choose to configure the Deployment Server and Receiving Indexer. You must configure either a Deployment Server or a Receiving Indexer as a minimum to send events to Splunk Enterprise.

  1. Enter details about the Splunk Deployment Server here. Splunk deployment servers distribute configurations, applications, and content to groups of Splunk Enterprise instances. Click Next.
  2. Enter details about the Splunk Receiving Indexer here. Splunk receiving indexers receive events from multiple endpoints. Click Next.
  3. Click Install to complete the installation.

The next step is to configure the types of events you want to collect.

For more information, see Configure Splunk Universal Forwarder.