Would you like to learn how to install and configure the Splunk Universal Forwarder? In this tutorial, we are going to show you how to set up the Splunk Forwarder on a computer running Linux to start collecting and sending logs to your indexer.
Copyright © 2018-2026 by Techexpert.tips.
All rights reserved. No part of this publication may be reproduced, distributed, or transmitted in any form or by any means without the prior written permission of the publisher.
Equipment list
Here you can find the list of equipment used to create this tutorial.
This link will also show the software list used to create this tutorial.
Tutorial Linux - Install Splunk Forwarder
As a requirement, the Splunk server must have the index created and be listening for connections on port 9997.
In our example, the Splunk server's IP address used is listed below.
In our example, the index configured on the Splunk server to receive logs from Linux computers is listed below.
Download the Splunk Universal Forwarder
Install the Splunk Forwarder package using the dpkg manager.
Start the Splunk service by automatically accepting the license and generating the initial password.
The system will create a local account for the Splunk Forwarder server and generate a random password.
Make sure to save the admin username and password in a secure location.
Configure the forwarder to send data to your Splunk Indexer or Intermediate Forwarder.
Configure the Splunk Forwarder to monitor the main system log file.
Configure the Splunk Forwarder to monitor the authentication log for security events.
Verify that the Splunk Forwarder service is running.
List all active forwarding servers to confirm connectivity with the Splunk indexer.
Display all files and directories currently being monitored by the Splunk Forwarder.
Verify the configuration file to ensure all log monitoring rules are correctly saved.
Here is the content of the file.
Congratulations! You have successfully installed and configured the Splunk Forwarder on Linux.
