Deployment Architecture

Splunk for *NIX

christopherhall
Engager

I have Splunk installed on a Windows server, and I want to collect data from certain Red Hat servers. I know I need to install Splunk as a light weight forwarder on the Red Hat systems, but do I need to install the "Splunk for UNIX and Linux" app on both the forwarder and the indexer?

Tags (3)
1 Solution

Ron_Naken
Splunk Employee
Splunk Employee

You should install the *NIX app on those RHEL servers. The reason for this is that the app provides all the scripted inputs to grab the diagnostics data you will want to track (i.e. lsof, df, top, ps, etc.) without any additional work.

My recommendation is to install Splunk on a RHEL server, install the *NIX app, configure the app, ensure the app is operating properly -- you can see the populated dashboards -- then configure forwarding/receiving. Once you confirm the data is being received by your Indexers, convert Splunk on the RHEL server to an LWF:

./splunk enable app SplunkLightForwarder

View solution in original post

Ron_Naken
Splunk Employee
Splunk Employee

You should install the *NIX app on those RHEL servers. The reason for this is that the app provides all the scripted inputs to grab the diagnostics data you will want to track (i.e. lsof, df, top, ps, etc.) without any additional work.

My recommendation is to install Splunk on a RHEL server, install the *NIX app, configure the app, ensure the app is operating properly -- you can see the populated dashboards -- then configure forwarding/receiving. Once you confirm the data is being received by your Indexers, convert Splunk on the RHEL server to an LWF:

./splunk enable app SplunkLightForwarder

Ron_Naken
Splunk Employee
Splunk Employee

I would install the *NIX app on the Indexer, since it will provide you the dashboards/reports that you're going to use to view the data from the forwarders.

Ron_Naken
Splunk Employee
Splunk Employee

It should be noted that if you have a large number of these, you might want to look into Deployment Server to allow pushing configuration changes in bulk.

Ron_Naken
Splunk Employee
Splunk Employee

This should get you going for the first RHEL server you setup, as it is the easiest method to install, configure, and diagnose any issues. You could create a reference RHEL in this manner, then install the others initially as an LWF and copy the app and configs.

0 Karma

christopherhall
Engager

Would I need to install the *NIX app on the indexer?

Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...