All Apps and Add-ons

in a distributed environment, do I have to install a Universal Forwarder on all Linux hosts such as Search Heads, Indexers, Deployment Server, etc?

smallfry
Explorer

Installing Universal Forwarders on Linux hosts running as Search Heads, Indexers, Deployment Server, etc

Hi everyone,

I had a hard time figuring out the confusing (but excellent effort though) documentation for Splunk Add on for Unix and Linux. I had went through the docs and Answers but am not 100% sure. My questions are:

  • In a distributed environment, where I want to collect logs from my search head (cluster), indexers, cluster master, licenses master, deployment server, heavy forwarders, etc, must I install a Linux Universal Forwarder on each of them? It is clear that the Universal Forwarder must be installed on Linux hosts but how about these Splunk instances that are also running Linux itself? All my Splunk instances' logs are forwarding to indexers btw.

  • Specifically for indexers, the documentation states:

"If the indexer is also a *nix host and you want to collect *nix data from it, complete the procedure at Enable the data and scripted inputs within the Splunk_TA_nix add-on on the host."

Seeing the above comments, do I need to install a Linux Universal Forwarder on the indexers?

  • How about Cluster Master, Deployment Server, etc that are also running on Linux? Do I need to install Linux Universal Forwarder on them? Or do I just install the Splunk_TA_nix add-on? Or do I install both? I don't see any mention about them in the docs.

Thanks for the advice in advance.

1 Solution

vliggio
Communicator

There is no need to install the universal forwarder. It is a subset of the code of the full Enterprise Splunk install, so anything that it does, Enterprise Splunk does as well.

To configure the nix add-on in Enterprise Splunk, you can do it through the UI. Once installed, go to your manage Splunk app page and there will be a configure option next to the nix TA. You can then look at /opt/splunk/etc/apps/Splunk_TA_nix/local to look at how it configured the options, and use that as a basis for what you configure on your universal forwarders. Note that to turn on some options you need to make sure you have a couple of additional Linux packages installed (you will see errors in your logs for files not found if you don’t have them installed).

View solution in original post

vliggio
Communicator

There is no need to install the universal forwarder. It is a subset of the code of the full Enterprise Splunk install, so anything that it does, Enterprise Splunk does as well.

To configure the nix add-on in Enterprise Splunk, you can do it through the UI. Once installed, go to your manage Splunk app page and there will be a configure option next to the nix TA. You can then look at /opt/splunk/etc/apps/Splunk_TA_nix/local to look at how it configured the options, and use that as a basis for what you configure on your universal forwarders. Note that to turn on some options you need to make sure you have a couple of additional Linux packages installed (you will see errors in your logs for files not found if you don’t have them installed).

View solution in original post

smallfry
Explorer

Very clearly answered. I wish Splunk can include these information in their documentation. Thanks!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The Linux servers that already have a Splunk instance on them (indexer, DS, etc.) only need Splunk_TA_nix installed.

---
If this reply helps you, an upvote would be appreciated.
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.