DocumentationAPI ReferenceRelease Notes
Log In
Documentation

Splunk Universal Forwarder

Suggest Edits

Install the Splunk Universal Forwarder

You can install the Splunk Universal Forwarder on your

  • Endpoints
  • Windows Event Collector node

The installation is largely the same. Differences are explained in the installation steps, where applicable.

You can receive events from the Endpoint Privilege Management Reporting database.

Install Splunk Universal Forwarder

The Splunk Universal Forwarder can be used to collect data from your endpoints.

You can download the forwarder from Splunk: https://www.splunk.com/en_us/download/universal-forwarder.html.

To install the Splunk Universal Forwarder:

  1. Double-click the Splunk Universal Forwarder installer.
  2. Check the box at the top of the Setup dialog box to accept the license agreement.
  3. Click Customize Options.
  4. Use the default installation location and click Next.
  5. You can use an SSL certificate to encrypt the events you send to Splunk. Please follow the instructions to do this. Click Next.
  6. If installing the Splunk Universal Forwarder on the endpoint, leave the default as Local System. Splunk only needs to see events from that machine, rather than remotely. Click Next.
  7. If installing the Splunk Universal Forwarder on the Windows Event Collector node, check the Forwarded Events box to send all the forwarded events to Splunk Enterprise. Click Next.

ℹ️

Note

In the next section you can choose to configure the Deployment Server and Receiving Indexer. You must configure either a Deployment Server or a Receiving Indexer as a minimum to send events to Splunk Enterprise.

  1. Enter details about the Splunk Deployment Server here. Splunk deployment servers distribute configurations, applications, and content to groups of Splunk Enterprise instances. Click Next.
  2. Enter details about the Splunk Receiving Indexer here. Splunk receiving indexers receive events from multiple endpoints. Click Next.
  3. Click Install to complete the installation.

The next step is to configure the types of events you want to collect.

Configure the event types for Splunk Enterprise

After you install the Splunk Universal Forwarder, you can configure the types of events to send to Splunk Enterprise.

To configure the type of events, you need to edit the inputs.conf file. In a default installation of the Splunk Universal Forwarder, the file is stored in this path:

C:\Program Files\SplunkUniversalForwarder\etc\system\local

ℹ️

Note

Depending on your user access, you might need to change the permissions on the file to apply changes.

This example collects Endpoint Privilege Management events from that endpoint or the Windows Event Forwarder node:

[default]
host = DESKTOP-OU2VDC4
[WinEventLog://Avecto Defendpoint Service]
disabled = false

ℹ️

Note

In the event that you use an alternate log location, the event log name and source name should be BeyondTrustPrivilege Management.

Restart the Splunk Universal Forwarder service for the changes to take effect.

Parse Endpoint Privilege Management events in Splunk

You can parse Endpoint Privilege Management events in Splunk to create custom reports and dashboards.

You can substitute Avecto Defendpoint Service with Avecto Privilege Guard Service where applicable for older versions of the product.

  1. On the Splunk server, navigate to C:\Program Files\Splunk\etc\system\local and open the props.conf. If the file does not exist, you can create it.
  2. Add the following lines: 
    [Wineventlog:Application]
SourceName = "Avecto Defendpoint Service"
REPORT-fields = wineventlog_parser
  3. In the same directory, open the transforms.conf file for editing. If the file does not exist, you can create it. 
    [wineventlog_parser]
SourceName = "Avecto Defendpoint Service"
REGEX = (?m)^\s+([^:\n\r]+):\s([^\n\r]+)
FORMAT = $1::$2
MV_ADD = true
  4. Restart the Splunk server from the Settings menu. Go to System > Server Controls, and then click Restart Splunk.
  5. On the Search page, search for SourceName = "Avecto Defendpoint Service" in the index. For example: 
    index="dp_events" SourceName="Avecto Defendpoint Service"

ℹ️

Note

In the event that you use an alternate log location, the event log name and source name should be BeyondTrust Privilege Management.

  1. The parsed fields are displayed on the left of the search.
  2. On the search page you can build the search query using fields such as: 
    index="dp_events" SourceName="Avecto Defendpoint Service"|table Application_Group,ComputerName,LogName,EventCode,Keywords,Command_Line,File_Name,Description,Process_Id,Parent_Process_Id,Workstyle,Sid,SidType,RecordNumber,Hash,Certificate|search EventCode!=0 AND EventCode!=10
  3. The table is displayed with a header for each attribute you specified in your query. You may need to change the time filter on the right to see all the events.

ℹ️

Note

Parsing the events this way only works when the search is made with the index.

Updated 3 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.