Splunk Universal Forwarder Version 6.2.3+ Microsoft System Center 2012 R2

Author: Ryan Faircloth

Summary: Rapid deployment of the universal forwarder in a production environment is possible with a minimal amount of risk for the customer. The installation of a universal forwarder can be performed at any time without impact to the production system and without reboot. A small caution is required in that if an existing MSI installation has created on reboot actions the installation of the Splunk universal forwarder or any other MSI may trigger a reboot by the SCCM client.



This guide will deploy the universal forwarder to all servers with a supported version of the Microsoft Windows Server operating system.

  • Create a new folder to contain Splunk related collections
  • Create one or more collection containing all systems which should receive the universal forwarder.
  • Create a collection containing all systems where any version of the universal forwarder -has been deployed
  • Create an application definition to deploy the universal forwarder without configuration
  • Create an application definition to deploy an upgrade to the universal forwarder without configuration
  • Create a package containing a powershell script to configure the universal forwarder
  • Deploy the configuration script using a task sequence

Prerequisite Steps

Task Responsible
Create CNAME for Deployment Server DNS Admin
Install Splunk Enterprise on Server Splunk Admin
Configure Splunk Instance as Deployment Server Splunk Admin

Step by Step

Create the deployment collection folder

  1. Navigate to Device Collections

  2. Right click

  3. Create new folder

  4. Name the new folder “Splunk Universal Forwarders”

  5. Navigate to the new folder

Create a collection for deployment

  1. Right click and choose "“Create New Device Collection”
  2. Name the collection “Splunk Deployment Collection for Servers”
  3. Select “All Desktop and Server Clients” as the limiting collection
    Create Device Collection
  4. Click Next
  5. Click Add to define the criteria used to determine which devices will receive the Universal Forwarder
  6. Click Query
  7. Name the Query “Server OS”
  8. Click Edit
  9. Click Show query language
  10. Enter the following query:
    select SMS_R_SYSTEM.ResourceID,
    from SMS_R_System
    inner join
    SMS_G_System_OPERATING_SYSTEM on SMS_G_System_OPERATING_SYSTEM.ResourceId = SMS_R_System.ResourceId
    SMS_G_System_OPERATING_SYSTEM.ProductType = 2
    or SMS_G_System_OPERATING_SYSTEM.ProductType = 3
  11. Click OK
  12. Click OK again
  13. Enable Incremental Update by checking the box
  14. Click Next
  15. Click Next
  16. Click Close

> Note: the collection will contain zero members until the update collection background task completes

Create a collection of all successfully deployed universal forwarders

  1. Right click and choose “Create New Device Collection”
  2. Name the collection “Splunk Deployment Collection for Deployed Forwarders”

  3. Select “All Desktop and Server Clients” as the limiting collection

  4. Click Next

  5. Click Add to define the criteria used to determine which devices will receive the Universal Forwarder

  6. Click Query

  7. Name the Query “Server OS”

  8. Click Edit

  9. Click Show query language

  10. Enter the following query:

    from SMS_R_System
    inner join
    SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID = SMS_R_System.ResourceId
    inner join
    inner join
    SMS_G_System_ADD_REMOVE_PROGRAMS_64.ResourceId = SMS_R_System.ResourceId
    SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName = "UniversalForwarder"
    and SMS_G_System_ADD_REMOVE_PROGRAMS_64.DisplayName = "UniversalForwarder"
    or SMS_G_System_INSTALLED_SOFTWARE.ProductName = "UniversalForwarder"
    order by SMS_R_System.Name

  11. Click OK

  12. Click OK again

  13. Enable Incremental Update by checking the box

  14. Click Next

  15. Click Next

  16. Click Close

Note: the collection will contain zero members until the update collection background task completes

Create Application Definitions

Download both the 32bit and 64bit versions of the Splunk Universal Forwarder into the source folder structure used for SCCM deployment applications. Do this for all versions currently deployed as well as the new version to be deployed.

In general the locations are similar to the path:

Create the application definition for the oldest deployed version of the Univeral Forwarder first.

  1. Navigate to Applications in the Software Library screen
  2. Right click and create a new folder for Splunk definitions
  3. Right click on the new folder and choose Create New Application
  4. Locate the 64 bit MSI for this product version
  5. Click Next
  6. Click Next again
  7. Update the definition with the following information
    • Name (Include version Number and bitness Version number i.e. Universal Forwarder 6.2.3 (x64)
    • Publisher
    • Version
    • Update the command line by removing “/q” and appending “/quiet AGREETOLICENSE=Yes”

      Note it is very important that /q is replaced by /quiet

  8. Click Next
  9. Click Next
  10. Click Close
  11. Right click on the new application definition and click properties
  12. Select the deployment type tab
  13. Select the first deployment and click edit
  14. Select the program tab
  15. update the uninstall command replacing /q with /quiet
  16. select the third browse next to product code and select the MSI
  17. Click requirements
  18. Click add
  19. Select category = device condition = operating system and provide the supported 64bit operating systems
  20. Create and additional requirements appropriate for your environment such as memory and disk space free
  21. Click OK
  22. Click OK again
  23. Add a new deployment type define the 32 bit MSI type using the information above
  24. Edit the new type using the information above to set the product MSI and verify requirements
  25. Select the supersedence tab
  26. click add
  27. Click Browse and select the oldest prior version of the application deployed to replace
  28. Map old deployment type to new ensuring the types match
  29. Click OK
  30. Add any other replacements required
  31. Verify your work and click OK

Repeat the application creation process for all versions of the UF in production If you are upgrading monitor your deployment progress You may continue with this procedure while the Universal Forwarder application is deployed.

Create a Configuration Script

  1. Create a source folder to contain the configuration script for example \\servername\source\splunk\scripts\UF_Config_V1
  2. The following script can be used as a template for the appropriate configuration for your site. At minimum the deployment server FQDN must be customized. Name the script configure.ps1
#Splunk Configuration Script for SCCM Task Sequence
#Locate Splunk based on the MSI registration

function Get-IniContent ($filePath)
$ini = @{}
switch -regex -file $FilePath
 "^\[(.+)\]" # Section
$section = $matches[1]
$ini[$section] = @{}
$CommentCount = 0
"^(\#.*)$" # Comment
$value = $matches[1]
$CommentCount = $CommentCount + 1
$name = "Comment" + $CommentCount
#$ini[$section][$name] = $value
"(.+?)\s*=(.*)" # Key
$name,$value = $matches[1..2]
$ini[$section][$name] = $value
return $ini

$location ="C:\Program Files\SplunkUniversalForwarder\"

#note if splunk may not be installed at the default location uncomment the following lines
#$list = Get-WmiOBject -Class Win32_Product | Where-Object {
# $_.Name -eq 'UniversalForwarder' -or $_.Name -eq 'Splunk' }

#$splunkprod = $list | where-Object { $_.InstallLocation }

#$location = $splunkprod.InstallLocation

$scriptappver = 2

$splunkcmd = $location + "bin\splunk.exe"
$staticapp = $location + "etc\apps\_static_all_universalforwarder\"
$staticdefault = $staticapp + "default\"
$staticlocal = $staticapp + "local\"

$staticdefault_dc = $staticdefault + "deploymentclient.conf"
$staticlocal_dc = $staticlocal + "deploymentclient.conf"
$staticdefault_app = $staticdefault + "app.conf"

if (!(Test-Path -Path $staticapp)) {new-item -ItemType Directory -Path $staticapp}

if (!(Test-Path -Path $staticdefault)) {new-item -ItemType Directory -Path $staticdefault}

if (!(Test-Path -Path $staticlocal)) {new-item -ItemType Directory -Path $staticlocal}

if (!(Test-Path -Path $staticdefault_app))
 new-item -path $staticdefault_app -ItemType File
 Add-Content -Path $staticdefault_app -Value "#Generated by scripting"
 #Add-Content -Path $staticdefault_app -Value "`r`n"
 Add-Content -Path $staticdefault_app -Value "[_static_all_universalforwarder]"
 Add-Content -Path $staticdefault_app -Value "author=Ryan Faircloth"
 Add-Content -Path $staticdefault_app -Value "description=Script Generated UF default configuration applied by SCCM"
 Add-Content -Path $staticdefault_app -Value "version=1"
 Add-Content -Path $staticdefault_app -Value "[ui]"
 Add-Content -Path $staticdefault_app -Value "is_visible = false"

$appconf = Get-IniContent $staticdefault_app
$appver = $appconf[“_static_all_universalforwarder”][“version”]

if ($appver -ne $scriptappver)
if (!(Test-Path -Path $staticdefault_dc))
 new-item -path $staticdefault_dc -ItemType File
 Add-Content -Path $staticdefault_dc -Value "#Generated by scripting"
 Add-Content -Path $staticdefault_dc -Value "[deployment-client]"
 Add-Content -Path $staticdefault_dc -Value "clientName=ScriptDeployed|"
 Add-Content -Path $staticdefault_dc -Value "[target-broker:deploymentServer]"
 Add-Content -Path $staticdefault_dc -Value "targetUri=srvsplunk.ad.domainname.com:8089"
 Add-Content -Path $staticdefault_dc -Value ""


& $splunkcmd "restart"

Create a Package to contain the configuration script

  1. Create a new package folder Splunk
  2. Create a new folder on a network share Splunk_config_vx where X is the version of the script and include a customized version of the config script provided
  3. Right click on the package folder create package
  4. Name the package Splunk Configuration Script v1
  5. Select the source folder
  6. Click Next
  7. Click do not create a program
  8. Click next
  9. Click next
  10. Click Close
  11. Right click on the package and click “Distribute Content” using appropriate options for the environment. Do not click deploy
  12. Create the Task Sequence
  13. Crea a new Task Sequence Folder “Splunk”
  14. Right click the Task Sequence Folder Create Task Sequence
  15. Name the task Splunk Config Vx
  16. Click Next
  17. Click Next
  18. Click Close
  19. Right click on the task sequence
  20. Click properties
  21. Click the advance tab
  22. Select suppress task sequence notifications and disable this task sequence on computers where it is deployed
  23. Right click on the task sequence and choose edit
  24. Click Add General —> powershell script
  25. Set the script name i.e. configure.ps1 and execution policy=bypass
  26. Click OK
  27. Right click on the task and deploy to the deployed collection created second above

Create the configuration task sequence

  1. Navigate to Software Library
  2. Navigate to Operating System Deployment
  3. Navigate to Task Sequence
  4. Optional Create a new folder called Splunk
  5. Right click and Create a new task sequence
  6. Select Custom Sequence
  7. Click Next
  8. Name the sequence i.e. Splunk Configuration Script Vx
  9. Click Next
  10. Click Next
  11. Click Close
  12. Right click on the task sequence
  13. Click properties
  14. Click the advanced tab
    • Select suppress task sequence notifications
    • disable this task sequence on computers where it is deployed
  15. Click Ok
  16. Right click on the task sequence and choose edit
    • Click Add General —> powershell script
    • Set the script name and execution policy=bypass
  17. Click OK
  18. Right click on the task and deploy to the deployed collection created second above

Staying up to date with the updates, update smart with Microsoft and Secunia

Its been a busy year already Oracle’s Java, Adobe’s Flash, and so many Updates to Windows. Most users by how have heard they should keep their Windows PCs up to date to avoid infection. Unfortunately, our adversaries have heard the same speech and are trying to deceive through fake updates for your computer. First reliable companies will not notify you by email, instant message, or advertisement that your computer is out of date and needs an update. You may see email or advertisements for new versions or upgrades, and subscription renewals. Some leading software companies are helping us stay secure through automatic or seamless updates such as Google’s Chrome browser, the FireFox Browser, and Adobe’s Flash. Security updates for these productions will simply install in the backgroud without needing your help. You can keep yourself safer by taking a few steps to secure your computer.

Lets take care of our operating system first.

  • Open “Computer” on Windows 7 or “This PC” on Windows 8.1
  • Click on Control Panel in the menu bar.
  • Search for “Windows Update” (1) in control panel then select “Turn automatic updating on or off” (2)


  • Setup the options (1) (2) (3) as shown below then click ok (4)

Windows will now check all Microsoft Products daily for updates and install them as needed. You will be asked to reboot your computer to finish applying updates this is very important don’t put it off. Now what about non Microsoft programs? Secunia provides a product called PSI to help us with this task.

Update the rest of our software with Secuina

First download and install Secuina PSI it is very important for you to download from this link. There are a number of sites offering versions modified to include malware.

  • http://secunia.com/vulnerability_scanning/personal/ you will need to provide your name and email address.
  • Then look for the big “Download Now” button. “Try Now” is for a separate business grade product.


  • Run and install PSISetup.Exe, this is a simple next, next, finish, default choices will be best.
  • After you click finish the software will start to update your computer. I installed an old version of Java to demonstrate the process below:
  • After the updates complete you will see an updated list of software and your are done.

PSI will not upgrade software however, for example Adobe Acrobat XII (Future software) or the new Java JRE 1.8 will require you to visit the software vendor to download or purchase an upgrade at some point in the future.

Getting Started with KeePass Part 1

KeePass is a Open Source Information manager. KeePass is simple to install and has a wide variety of options of personal security however it does not directly integrate with any web browser. The significant plus with this solution is the cost. Free

Get started by downloading and installing the software from this site. 


  • Open KeyPass by clicking on your start menu then all programs then “Key Pass 2”
  • The first time you run the program you will be asked if  can automatically check for updates. Enable this option KeePass
  • KeePass will open up and look like this to start


  • We would like KeePass to start with windows so from the Tools Menu click Options
  • Click the integration tab and check “Run KeyPass at Windows Startup”
  • Click OkKeepass2

Now we are ready to create our first password database. For most users one database will be enough however it may make sense to create separate databases for information associated with a specific organization with a separate database for personal information.

  • From the file menu click “New”
  • Create a folder in documents “KeePass”
  • Name the database with a meaningful name such as “PersonalAccounts”Keepass3
  • Create a master pass phrase with at least 12 total characters, using two words 1 or more upper case letters 1 or more symbols and 1 or more numbers.Keepass4
  • 1-Enter a descriptive name for this database
  • 2-Enter a default username that is either a username or email address that you will typically use for your accounts
  • 3-Optional Pick a colorKeepass5
  • Click the Security Tab
  • Change the iterations value to 15000Keepass6
  • Click OK
  • First lets Add a Group under our Internet identities for social media right click on “Internet” click social group then “Add Group”
  • Keepass7
  • Name the group “Social Media” and Click OKKeepass8
  • Click Add Entry
  • keepass9
  • Fill out the entry with all of the information you have
    • 1- Title of the entry
    • 2- Your Username on this site
    • 3- Your password on this site (x2) if the password is less than 50 bit a strong password is advisable
    • 4- The URL to this site i.e. http://www.facebook.com
    • 5- Click OK
  • The entry will now be listed under the social media group
  • keepass10
  • The entry will not be listed under the social media groupkeepass11
  • Congratulations on creating your first entry! Open a webrowser for the site you just created
  • Return to KeePass and select your entry then choose copy username (green arrow or Control +B)
  • Go to your web browser and past in the username field
  • Return to KeePass and select your entry then choose copy password (red arrow or control +C)
  • Note you have 15 seconds to past the value in to the  correct location last pass will clear the clip board to protect your information
  • keepass12

Repeat the steps above for each web site or system you will use. When you are done with a work session choose “Lock Workspace” from the file menu to protect your information. Also don’t forget to save your database from the file menu after important changes.



Getting Started with Last Pass (Premium)

Last Pass Premium has been my personal choice in password managers for over two years now.  The premium license take care of a few requirements that are above and beyond what most users required yet remains user friendly enough for most users.

  • Plug-ins for all major browsers
  • Support for Ubuntu Linux and Mac OS X
  • Support for iPhone, iPad, and Android devies
  • No limit on the number of in use devices.

Watch this video to get started with last pass.

You can elect to use my referral link for a free month service https://lastpass.com/f?1127646

The three videos in this play list will give you a quick introduction into  making use of Last Pass day to day.


Many of you will ask how secure is Last Pass. I’m glad you ask! Thinking about how secure something is means you are taking your personal security seriously. A better question to ask though is what are my risks with using this software.  The risk is if someone can obtain our master password then all of your accounts would be compromised. That can happen if someone is able to observe or guess your master password.

  • Reduce this risk by using a strong  pass phrase to secure your account.
  • Only access your last pass account from devices you can trust. A device you can trust is a device you own and control, with no other users..
  • If you must access your last pass account from shared devices Do not save your master password on devices shared others, including friends family or co-works.

We can make a few small changes to make our information more secure. On your desktop double click the Last Pass icon and log then click on settings.

  • First restrict login to only those countries in which you may travel frequently. This list can be changed at any time be sure visit this setting before traveling.




  • The second thing we will change is requiring the entry of our master password before a password can be “shared”. This is a feature that is security sensitive. It can be a great feature for families allowing you to securely share passwords for financial sites with family members. It should not be used for enterprise credentials.
  • We also want to enter a “security” email address which can be used to notify you of concerns with your account. A family member or work email is frequently used here.



  • The last thing we should do is restrict login from mobile devices. After you have installed Last Pass on all of your devices, come to this screen to “restrict” and then enable each of your devices.



Lass Pass supports the use of two factor authentication selecting and enabling is beyond the scope of this article.


Getting Started with DashLane 3 Premium

Dashlane 3 Premium is an alternative to LastPass, Dashlane is generally a less technical program and does not support the Linux operating system.  The biggest pro for Dashlane over others is its simplicity there is no configuration required to use this software securely. The con for dashlane is that lack of advanced features

  • No ability to restrict usage by contry
  • No ability to restrict login to certain devices
  • No ability to required two factor authentication such as smart token or sms message.
  • Higher cost $30 per year compared to $12 for lastpass

To get started last pass for six months free use my referral link below


Watch this getting started video.

Joy to share

Ok many of you may know me for those that don’t. I will share that I am not the kind of person you would count as full of joy. I’ve been told if I am standing in a room my default mode is simply scary. Not that I am an unhappy person by any means if you are willing to risk approaching me you will find my appearance is misleading. My devotion today has me asking to I have joy to share.

Then Nehemiah the governor, Ezra the priest and teacher of the Law, and the Levites who were instructing the people said to them all, “This day is holy to the Lord your God. Do not mourn or weep.” For all the people had been weeping as they listened to the words of the Law. Nehemiah said, “Go and enjoy choice food and sweet drinks, and send some to those who have nothing prepared. This day is holy to our Lord. Do not grieve, for the joy of the Lord is your strength.” (Nehemiah 8:9, 10 NIV)

Nehemiah said something profound on hearing the law. He told the people that the very law that was condemning the nation was cause for joy. He realized that the condemnation was leading to salvation. He wanted everyone to share the joy. He wanted them to be joyous so much so his instructions were to share with those that we’re not prepared. Are there people in my life that are not prepared to enjoy our salvation? Have I prepared enough joy to provide them with plenty and not be lacking myself. I think this wise king was on to something this might just be the very heart of the Gospel.

What’s Here

I am Ryan Faircloth, this is my family by wife Brandy, son Wesley, and daughter Bree.  Together the “Faircloths”. I’m the hacker, my wife the teacher, my daughter the creative, my son the concrete. Its a pretty good mix in our house which is great but not without its challenges. We are a blended family our history could not be more diverse. I was raised by a single mom as my parents divorced early in my life. My wife was raised by two awesome parents. Our children are our blessing through adoption they have been our children now for over three years, following about four years within the Florida system.

My wife Brandy is a wonderful wife and mom. She is a teacher presently sixth grade math. Leader in our church working with our women’s program and anywhere there is a need. She enjoys meeting new people and cooking, even helping others enjoy it themselves as a Pampered Chef Consultant.

The kids are simply amazing considering what they have been through we could not be more pleased. God has blessed our family! I could write much more about the family and I will over time in the blog.

I am a life long hacker I will explain that over time in the blog. For now what is important is to know hacker is neither good nor bad. It simply a style of problem solving, combined with a set of skills that can be adapted to the challenge at hand. Unfortunately human tendencies and dramatic flare present a negative image the the world at large.


I am also an athlete, triathlete to be more specific, not that I have always been. I acquired an interest in sports later in life than most, I once found my self weighing 290 pounds and determined a change was required in my life.    Yes this was me three years ago.