Archive
Highlighted

Best way to set up Splunk as a receiver (Splunk protocol) and forwarder (Splunk protocol and syslog protocol)

New Member

I'm trying to set up a Splunk instance on linux that can do the following:

  • receive logs from windows universal forwarders
  • send some of the logs to our central Splunk server
  • send all logs to our central log archiving server via syslog protocol

The documentation says that "The syslog output processor is not available for universal or light forwarders." so I guess I'll have to use a Heavy Forwarder in this situation because of the 3rd requirement.

I tried to run the following commands:

yum install splunk
cd /opt/splunk/bin/
./splunk start
./splunk enable app SplunkForwarder
./splunk restart

This however didn't seem to disable the web user interface and the UI showed that some applications (e.g. search and splunk_datapreview) were still running.

Is there a way to create a "light" Heavy Forwarder that accomplishes only what I need without all those fancy features? If yes, how can it be done?

Tags (1)
0 Karma
Highlighted

Re: Best way to set up Splunk as a receiver (Splunk protocol) and forwarder (Splunk protocol and syslog protocol)

Ultra Champion

You can disable Splunk Web using the CLI like this :

./splunk disable webserver
./splunk restart
0 Karma