Troubleshoot common installation issues for the universal forwarder
Identify and resolve common issues that can occur when installing the universal forwarder on macOS, including GateKeeper warnings, Full Disk Access problems, launch daemon failures, and connectivity issues.
Identify and resolve common installation issues for the universal forwarder on single macOS machines or across your entire fleet.
GateKeeper warnings - macOS 13 and higher versions
- Issue:
- You receive GateKeeper security warnings about the downloaded software.
- Cause:
- The macOS 13 (Ventura) and higher versions of the operating system introduced stricter security requirements for background services.
- Possible solutions:
-
-
Ensure your .pkg installer is properly signed with a
Developer ID Installercertificate. -
Install the universal forwarder using MDM which bypasses GateKeeper for managed software
-
Full Disk Access Denied
- Issue:
-
The universal forwarder cannot read /var/log/system.log or other protected files.
- Possible solutions:
-
- Ensure the PPPC profile is deployed and applied
- Manually grant access in System Preferences > Security & Privacy > Privacy > Full Disk Access.
Launch Daemon is not starting
- Possible solution:
-
Verify whether the Launch Daemon is in the correct location and loaded:
CODE
ls -la /Library/LaunchDaemons/com.splunk.plist sudo launchctl list | grep splunk
Connection issues
- Issue:
- Network connectivity and firewall issues
- Possible solutions:
-
- Test connectivity to the deployment server:
CODE
nc -zv <deployment-server> 8089 - Test connectivity to the indexer:
CODE
nc -zv <indexer> 9997 - Check universal forwarder logs:
CODE
tail -f /opt/splunkforwarder/var/log/splunk/splunkd.log
- Test connectivity to the deployment server: