https://community.splunk.com/t5/Getting-Data-In/How-to-Set-up-Splunk-Enterprise-Forwarders-and-Receivers/m-p/501669#M85481 <P>You have the general idea. Allow me to add some tips.</P> <P>1) Run Splunk Enterprise on a Linux server if you can. You'll be much happier if you do.<BR /> 2) If you run Splunk on Windows, don't use a domain account.<BR /> 3) The Universal Forwarders should get their configuration files from a Splunk Deployment Server (DS). Using a DS means you don't need to sign in to each server/workstation to update the UF configs.<BR /> 4) You don't say how many users will be using Splunk or what hardware Splunk will be on, but I expect you will quickly outgrow a standalone Splunk server. If this is not just a sandbox, consider setting up a distributed environment with separate search head and indexer servers.</P> Fri, 27 Mar 2020 15:26:46 GMT richgalloway 2020-03-27T15:26:46Z https://community.splunk.com/t5/Getting-Data-In/How-to-Set-up-Splunk-Enterprise-Forwarders-and-Receivers/m-p/501668#M85480 <P>I am trying to understand how to set up Splunk for the first time. I have several Server VMs (exchange, DC, SCCM, Splunk) and about 70 workstations. </P> <P>I want to use Splunk to audit my workstations' event logs. This is a high level overview on how I understand that to occur:</P> <OL> <LI>Install Splunk Enterprise on my Splunk Server (set up permissions as a domain user, etc)</LI> <LI>Configure Splunk Server as a Receiver</LI> <LI>Install a Universal Forwarder on every workstation and all of the other servers.</LI> <LI>Configure each Universal Forwarder- define inputs on the universal forwarder with configuration files</LI> </OL> <P>Am I understanding this correctly?</P> Fri, 27 Mar 2020 13:36:35 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-Set-up-Splunk-Enterprise-Forwarders-and-Receivers/m-p/501668#M85480 danielleedgingt 2020-03-27T13:36:35Z https://community.splunk.com/t5/Getting-Data-In/How-to-Set-up-Splunk-Enterprise-Forwarders-and-Receivers/m-p/501669#M85481 <P>You have the general idea. Allow me to add some tips.</P> <P>1) Run Splunk Enterprise on a Linux server if you can. You'll be much happier if you do.<BR /> 2) If you run Splunk on Windows, don't use a domain account.<BR /> 3) The Universal Forwarders should get their configuration files from a Splunk Deployment Server (DS). Using a DS means you don't need to sign in to each server/workstation to update the UF configs.<BR /> 4) You don't say how many users will be using Splunk or what hardware Splunk will be on, but I expect you will quickly outgrow a standalone Splunk server. If this is not just a sandbox, consider setting up a distributed environment with separate search head and indexer servers.</P> Fri, 27 Mar 2020 15:26:46 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-Set-up-Splunk-Enterprise-Forwarders-and-Receivers/m-p/501669#M85481 richgalloway 2020-03-27T15:26:46Z https://community.splunk.com/t5/Getting-Data-In/How-to-Set-up-Splunk-Enterprise-Forwarders-and-Receivers/m-p/501670#M85482 <P>Hi @danielleedgington92,<BR /> in addition to all the hints of @richgalloway , I suggest to create a Technical Add-on (called e.f. TA_Forwarders): it's an app containing only two files:</P> <UL> <LI>deploymentclient.conf</LI> <LI>outputs.conf</LI> </UL> <P>The first one contains the address of the Deployment Server (remember that if you have to manage more than 50 target servers you must have a dedicated server for this role!).<BR /> The second one contains the addresses of the indexers.</P> <P>In this way you can manage all the configurations by Deployment Server.<BR /> The problem is how to rich the Deployment Server for the first time: for this reason, I usually copy this app (TA_Forwarders) on each target server (and I restart Splunk on UF), so it's connected with the Deployment Server and I can deploy to all the UFs the TAs I need.</P> <P>Ciao.<BR /> Giuseppe</P> Fri, 27 Mar 2020 15:34:52 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-Set-up-Splunk-Enterprise-Forwarders-and-Receivers/m-p/501670#M85482 gcusello 2020-03-27T15:34:52Z