I'm setting up an Auto-Scaling group in Amazon using an AMI. I want my logs, specifically apache logs, to be pushed into my Splunk server, but want to make sure I do this properly. So the set-up is currently it spins up the AMI and runs a user data script to prep the system for the proper set-up either test or prod. We can have anywhere from 4-18 servers depending on load.
Would it be best to install the forwarder on the AMI or is there another way to do this?