Deployment Architecture

Splunk for *NIX

christopherhall
Engager

I have Splunk installed on a Windows server, and I want to collect data from certain Red Hat servers. I know I need to install Splunk as a light weight forwarder on the Red Hat systems, but do I need to install the "Splunk for UNIX and Linux" app on both the forwarder and the indexer?

Tags (3)
1 Solution

Ron_Naken
Splunk Employee
Splunk Employee

You should install the *NIX app on those RHEL servers. The reason for this is that the app provides all the scripted inputs to grab the diagnostics data you will want to track (i.e. lsof, df, top, ps, etc.) without any additional work.

My recommendation is to install Splunk on a RHEL server, install the *NIX app, configure the app, ensure the app is operating properly -- you can see the populated dashboards -- then configure forwarding/receiving. Once you confirm the data is being received by your Indexers, convert Splunk on the RHEL server to an LWF:

./splunk enable app SplunkLightForwarder

View solution in original post

Ron_Naken
Splunk Employee
Splunk Employee

You should install the *NIX app on those RHEL servers. The reason for this is that the app provides all the scripted inputs to grab the diagnostics data you will want to track (i.e. lsof, df, top, ps, etc.) without any additional work.

My recommendation is to install Splunk on a RHEL server, install the *NIX app, configure the app, ensure the app is operating properly -- you can see the populated dashboards -- then configure forwarding/receiving. Once you confirm the data is being received by your Indexers, convert Splunk on the RHEL server to an LWF:

./splunk enable app SplunkLightForwarder

Ron_Naken
Splunk Employee
Splunk Employee

I would install the *NIX app on the Indexer, since it will provide you the dashboards/reports that you're going to use to view the data from the forwarders.

Ron_Naken
Splunk Employee
Splunk Employee

It should be noted that if you have a large number of these, you might want to look into Deployment Server to allow pushing configuration changes in bulk.

Ron_Naken
Splunk Employee
Splunk Employee

This should get you going for the first RHEL server you setup, as it is the easiest method to install, configure, and diagnose any issues. You could create a reference RHEL in this manner, then install the others initially as an LWF and copy the app and configs.

0 Karma

christopherhall
Engager

Would I need to install the *NIX app on the indexer?

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...