The Splunk Universal Forwarder is a tool used to pull Event Logs, Flat Files, and pretty much anything you want from Windows, Linux, and most other Operating Systems.
On the Linux side, the Splunk Universal Forwarder doesn’t start automatically on bootup.
The first time I deployed the Splunk Forwarder using automation I didn’t account for this and deployed it and once the servers rebooted I saw that they were no longer sending logs into the SIEM.
The quick and simple documented fix for this is to run the following command.
/opt/splunkforwarder/bin/ ./splunk enable boot-start
Splunk is usually installed into
/opt/splunkforwarder on Linux, so if you have Splunk installed in a different location on your systems, you just need to update the path.
Splunk installs a service on the Windows side that is set to run on bootup on the machine, so there isn’t any work to do on Windows.