Configure the universal forwarder after installation
After installation, configure the universal forwarder to communicate with your Splunk platform infrastructure.
Configure an indexer
To configure the universal forwarder to send data to an indexer, run the following command:
CODE
/opt/splunkforwarder/bin/splunk add forward-server <indexer>:9997 -auth admin:<password>Configure agent management
To configure the universal forwarder to connect to agent management, run the following command:
CODE
/opt/splunkforwarder/bin/splunk set deploy-poll <deployment-server>:8089 -auth admin:<password>Add data inputs
Monitor the following locations of common logs on the macOS operating system:
CODE
# System logs:
/opt/splunkforwarder/bin/splunk add monitor /var/log -auth admin:<password>
# Application logs:
/opt/splunkforwarder/bin/splunk add monitor /Library/Logs -auth admin:<password>
# User logs (requires Full Disk Access):
/opt/splunkforwarder/bin/splunk add monitor ~/Library/Logs -auth admin:<password>Restart the universal forwarder
To restart the universal forwarder, run the following command:
CODE
/opt/splunkforwarder/bin/splunk restartNext steps: configuration and management
After successfully installing the universal forwarder, consult the following resources:
- To learn about configuring the universal forwarder, see Enable a receiver for Splunk Enterprise.
- To learn about macOS data sources, see the Get Data In manual.
- To learn about managing universal forwarders at scale, see Update Your Deployment manual.