Splunk Enterprise Pt. 3 (Forwarders on Ubuntu and Dashboards-Applications)

   Jul 5, 2022     4 min read

Yesterday we left off with installing the universal forwarder on Windows and managing it from our Splunk Enterprise installation. What I didn’t mention was installing the universal forwarder on a Linux based operating system. Let’s get more data into out Splunk Enterprise instance.

First lets visit the Splunk Downloads page and grab the URL for our Universal Forwarder. If we had a GUI we could simply download it from here, or we could SCP the file over through SSH from our host computer, however I prefer directly downloading the file using their provided wget command:

Splunk Download Screen

Click above to get the wget command

wget Command

Now lets SSH over to our Linux box and download the universal forwarder

$ wget -O splunkforwarder-9.0.0-6818ac46f2ec-linux-2.6-amd64.deb ""

and install it (in this case, since it’s Ubuntu/Debian based, and a .deb file):

$ sudo dpkg -i splunkforwarder-9.0.0-6818ac46f2ec-linux-2.6-amd64.deb

This will install the Splunk Universal Forwarder into the “/opt/splunkforwarder” folder. From here setup is pretty straight forward. Let’s start the Splunk Forwarder, go into the /opt/splunkforwarder folder if not already in it then start the forwarder:

$ cd /opt/splunkforwarder
$ sudo ./splunk start --accept-license

It should ask you initially to create a username and password. This username and password is for the Universal Forwarder installed here. Next let’s enable the Universal Forwarder to start at boot, first stop Splunk, then enable it.:

$ sudo ./splunk stop
$ sudo ./splunk enable boot-start



Now let’s set up the Universal Forwarder to reach out to our Splunk Enterprise “all in one” instance for instructions on what to forward/how to forward logs/information (i.e. the deployment server). In a typical enterprise environment you would have a deployment server set up that would be responsible for this task, however in our #homelab we have everything tied into one. Let’s continue:

$ sudo ./splunk set deploy-poll

This will automatically create our deploymentclient.conf file located at /opt/splunkforwarder/etc/system/local/deploymentclient.conf. If you want you can read through documentation and create this yourself, however I prefer using the CLI to have Splunk create this for me (either way is perfectly fine).

NOTE: You can very well use an IP address instead of a FQDN (replace with 192.168.x.x:8089 or whatever IP your Splunk Server is), however I prefer using a FQDN set by my Firewall/Router in the event that I change my network IP addresses around for whatever reason, I’m not having to track down several broken links. It’s also just a best practice.

Now let’s restart the Universal Forwarder:

$ sudo ./splunk restart

And back to our Splunk Enterprise instance:

New Forwarders

Continue on with adding this Linux host and configuring what logs to aggregate.

Let’s browse some Splunk Applications

From the Splunk homepage, click on “Splunk Apps” and lets search for “Windows”

Splunk Homepage

From the Splunk homepage, click on “Splunk Apps” and lets search for “Windows”

Splunk Apps


The Splunk Add-on for Microsoft Windows provides Splunk with better insight/data ingestion for Windows Products, Read more here: and

We’ll also install another Application, Windows Personal Security

Windows Personal Security

After installing Windows Personal Security you can go to the dashboard and it provides you with an already configured template for Windows Event Log review:

Windows Personal Security Dashboard

The top bar allows you to review different data sets, for example clicking on “System”

Windows Personal Security System

We can see there are several security log events for my Windows PC, Let’s take a look at the Application Log Events.

Application Log Events

This has pre-defined searches within the log files you can review here, made up in a pre-configured dashboard.

You can also configure your own dashboard, to call your own searches, or if you are so inclined, subscribe and pay for other dashboards. Splunk is VERY versatile, for example you can connect to Nessus to ingest your vulnerability scans and keep a running history of your scans as well as have a dashboard you can log into. Your front page when you log into Splunk can be configured anyway you like it. The possibilities are ENDLESS and you can spend MONTHS setting up and configuring your dashboards/searches just the way you like them.