HOWTO Install the Splunk Universal Forwarder on FreeBSD

Tags

The following steps were tested on FreeBSD x64 11.4, 12.3, 13.0 and 13.1.

1) There are a few required adjustments before installing the forwarder on FreeBSD. This ensures the forwarder functions properly.

a) As root, add the following to loader.conf.
> vi /boot/loader.conf

kern.maxdsiz=”2147483648″ # 2GB
kern.dfldsiz=”2147483648″ # 2GB
machdep.hlt_cpus=0

b) Add the following to sysctl.conf.
> vi /etc/sysctl.conf

vm.max_proc_mmap=2147483647

c) Restart for the changes to take effect.
> reboot

2) If you have a Forwarder installed, remove it. If you don’t, skip to step 3.

a) Check if running and if so stop it.
> /opt/splunkforwarder/bin/splunk status
> /opt/splunkforwarder/bin/splunk version
> /opt/splunkforwarder/bin/splunk stop

b) Get the package name and delete the older release. And yes, that is a \ before the * as you have to escape it. In this example, splunkforwarder-8.1.6 is being removed.
> pkg info -g splunkforwarder\*
> pkg delete -y splunkforwarder-8.1.6
> rm /etc/rc.d/splunk
> rm -R /opt/splunkforwarder

3) If a new install, check to see if /opt exists. If not, create it.
> ls -l /opt

If not there, create it.
> mkdir /opt

3) Move the Forwarder package to /tmp on your FreeBSD host and install it.
> cd /tmp
> pkg install splunkforwarder-8.2.3-cd0848707637-freebsd-11.3-amd64.txz

Updating FreeBSD repository catalogue…
FreeBSD repository is up to date.
All repositories are up to date.
Checking integrity… done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
splunkforwarder: 8.2.3

Number of packages to be installed: 1

The process will require 64 MiB more space.

Proceed with this action? [y/N]: y
[1/1] Installing splunkforwarder-8.2.3…
Extracting splunkforwarder-8.2.3: 100%
complete

a) Start the Forwarder and accept the license.
> /opt/splunkforwarder/bin/splunk start –accept-license –answer-yes

This appears to be your first time running this version of Splunk.

Splunk software must create an administrator account during startup. Otherwise, you cannot log in.
Create credentials for the administrator account.
Characters do not appear on the screen when you type in credentials.

Please enter an administrator username: splunkadmin
Password must contain at least:
* 8 total printable ASCII character(s).
Please enter a new password:
Please confirm new password:

b) Enable the Forwarder to start when the system is booted.
> /opt/splunkforwarder/bin/splunk enable boot-start

Init script installed at /etc/rc.d/splunk.
Init script is configured to run at boot.

4) If you don’t use a Deployment server, skip this step. If you use a Deployment server, set the deployment server configuration. Typically this comes from your Splunk team so this is an example only.
> vi /opt/splunkforwarder/etc/system/local/deploymentclient.conf

[deployment-client]

[target-broker:deploymentServer]
targetUri=192.168.1.100:8089

5) Restart the Forwarder and verify the configuration.
> /opt/splunkforwarder/bin/splunk restart
> /opt/splunkforwarder/bin/splunk status

a) Verify that its set in rc to start at boot and that the process is running.
> service -e | grep splunk
/etc/rc.d/splunk

> ps -x | grep splunkd
1494 – S 0:02.54 splunkd -p 8089 restart
1495 – Is 0:00.04 splunkd: [splunkd pid=1494] splunkd -p 8089 restart [process-runner] (splunkd)

> cat /etc/rc.conf | grep splunk
splunk_enable=”YES”

6) Installation is complete.

slice2

HOWTO Install the Splunk Universal Forwarder on FreeBSD

Like this:

Leave a ReplyCancel reply

Share this:

Like this:

Leave a ReplyCancel reply

Discover more from slice2