All our many Unix servers are already set up to send syslog data to a central syslog server for archival. I have a Splunk forwarder installed on the central syslog server sending /var/log to Splunk. Now we are installing the Splunk forwarder on all the Unix servers and using the Splunk Add-on for Unix and Linux to send data into Splunk, which includes everything in /var/log. How do I configure things so as to not have duplicate entries (one from a server and one from the central syslog server) ending up in Splunk?
You will need to blacklist any input that you don't want the forwarder to send from the Unix servers.
The Splunk Add-on for Unix and Linux can be configured to select only the data that you want by editing inputs.conf in etc/apps/SplunkTAnix/local
This will disable the the input
disabled = 1
BTW, all inputs are disabled by default in the add-on. So you should only turn on the inputs that you want before you deploy the add-on to all the forwarders.
If you want to turn on the input, but only forward a subset of the files, use the whitelist/blacklist to select the files. Again, this belongs in
etc/apps/SplunkTAnix/local/inputs.conf. Following is an example where the forwarder will monitor /var/log