is http://www.splunk.com/wiki/Community:MinimizingForwarderFootprint relevant for 4.x? I do not see etc/apps/SplunkLightForwarder/default/setup.conf. Let me know. Thanks.

everything under /var/log. Not blacklisting or whitelisting anything... pretty much all I'm concerned about are the internal system logs being made via syslog-ng and the zeus access and error logs.... might be ideal to blacklist...

other than that... anything else I should be looking out for?

this is a really old server...

not to mention spunk apparently does not support 2.4 kernel...

To give you guys more info... here are the server specs:

Dell Poweredge 1750, 2x Intel(R) Xeon(TM) CPU 2.40GHz w/ 512k cache, 4GB RAM

Running RHEL ES 3 32-bit with 2.4 Kernel

This sadly is a legacy server we cannot get rid of right now... which is the oldest server out of the test sample of servers we are testing Splunk LF on.

Anyone in a similar situation?

From my perspective all I care about is offloading the logs to the central indexer so if there are things I can do to better minimize the footprint like disable modules let me know.

Any help you can provide would be of great help to us...

Thanks again!!!

Brian

How many directories are you monitoring? How many files are inside those directories in total? How many of those are whitelisted/blacklisted?

Anyone inside splunk know if High CPU utilization with LFW and deployment client (SPL-26789) is still open? The workaround at the time (4.0.6ish) was to disable the deployment client..... ;-(