Can anyone tell me which ports should listen on Splunk server and on the Target server (Client)

Am so confused, Indexer is the one which you give while adding the path to monitor right. for ex:
./splunk add monitor /var/log/apache2/access.log -index apache -sourcetype access_log

what is called indexer? should we configure indexer as separate server?

Sorry, I'll try to be more clear:
you spoke of a Universal Forwarder, that's on the target server to monitor.
it should send logs to a Splunk server (called Indexer) that should be on a separate server and contains all the logs and search on them; I think (if I'm wrong, please correct me!) you have a single Splunk stand-alone server and not a distributed architecture is it correct?
So if you have a stand-alone server Indexer is your stand-alone server.

At first you have to check if your Splunk server receives logs from the Universal forwarder, to do this run a search on Splunk:

index=_internal host=<your_host>

if you haven't logs, you have to perform some checks:

• do you enabled receiving on Splunk server ? [Settings -- Forwarding and Receiving -- Configure Receiving -- New Receiving Port]
• are firewall routes between Universal Forwarder and Splunk server open? telnet ip_splunk_server 9997

if it isn't ok you have to check the firewall routes between target and Indexer on port 9997, if it's ok, check if in $SPLUNK_HOME/etc/system/local/outputs.conf of Universal Forwarder you have the correct Splunk server ip address.

If instead you are receiving internal logs but not apache logs, check at first the permissions on these files (what's the user owner of splunkd process on UF?)
Then how do you installed Add-on on UF, which user you used? has the grants to read files?
at the end did you restarted Universal Forwarder after copying and untarring Add-on?

Then see in $SPLUNK_HOME/etc/apps/splunk-apache-addon/local/input.conf or $SPLUNK_HOME/etc/apps/splunk-apache-addon/default/input.conf of the Add-on if in all the stanzas there's disable=0

Ciao.
Giuseppe

Thanks for the clear explanation.
Yes you are right i have a splunk stand-alone server. when i search using index=_internal host= it doesnot show host.

I guess telnet is the problem telnet doesnot work from the target server. I have added a firewall rule on Splunk server and forward server but still it doesnot work. Any idea on this?

iptables -A INPUT -p tcp -m tcp --dport 9997 -j ACCEPT

But when i run /opt/splunkforwarder/bin/splunk list monitor, it shows
Monitored Files:
$SPLUNK_HOME/etc/splunk.version
/var/log/apache2/access.log
/var/log/apache2/error.log
var/log/apache2

I am not sure whats the problem

Have you enabled Receiving on your indexer(s)? Have you configured the UF to send logs to the indexer(s)?
Do you see logs from the UF in index=_internal?