Building a Splunk lab [part 2]

Part 2 – Universal Forwarders

Now we have a working Splunk install it’s time to get some data in. In this part, I will configure a Universal Forwarder to forward logs to the indexer then confirm that the Universal Forwarder is configured correctly by searching Splunk’s internal index for our new forwarder.

The universal forwarder is a package deployed to hosts in order to collect logs locally. Universal forwarders can also act as an aggregation point for logging methods such as syslog and remote collection.


The Host
This article will not cover the installation of CentOS or the configuration steps required to get up to the point of installation. If you need to be walked through setting up a new host, see part 1 of this series. The next step assumes that you already have a CentOS host stood up and running.


– A working CentOS host (separate to the spunk lab)
– The universal forwarder RPM


This section will cover deploying the universal forwarder to the collection host. Before following these steps you will need to have built the collector (CentOS). Download the Universal Forwarder package from Splunk and move it on to the collector host (either wget from the host or transfer via sftp).

Lets install the UF package:

rpm -i splunkforwarder-6.3.2-**-linux-2.6-x86_64.rpm

Now enable boot start & accept the license terms:

./opt/splunkforwarder/bin/splunk enable boot-start --accept-license

At this point, connect to the splunklab and allow port 9997/TCP inbound:

firewall-cmd --add-port=9997/tcp --permanent

Once the UF (universal forwarder is installed, configuration can begin. First, we need to add the host details of the indexer that the UF will forward to:

./opt/splunkforwarder/bin/splunk add forward-server <host>:9997 -auth admin:changeme

Note: the default credentials for a UF are “admin:changeme”, these can be changed but we will not go in to this right now. Make sure you replace above with the IP address of your splunklab VM.

Start the UF:

/opt/splunkforwarder/bin/splunk start

At this point it is worth restarting Splunk on the splunklab VM, this can be done via the webGUI or by running the following command on the splunklab VM:

./opt/splunk/bin/splunk restart


Checking everything is working
Now it is time to check if everything has gone to plan and the UF is installed/configured correctly. Log in to the splunklab webGUI and perform the following search:

index="_internal" host="collector"

Make sure you replace “collector” with the hostname of your collector. If you do not have the hostname to hand, simply search the _internal index then select the hosts field, there should be two if all went well (splunklab + collector).

Next up, Building a Splunk lab [Part 3]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s