Getting Data In

Deploying Light Forwarders on Windows

idigiops
New Member

I'm new to Splunk and haven't found the exact answer that I'm looking for, so I'm hoping this is the right place to ask for help.

My goal is to successfully install a light forwarder on one of my application servers, index a log file and then send that data back to my main Splunk server.

Right now, my environment is 100% Windows. I have a new server that I have installed Splunk on. I want to use this as a central server for collecting all logs across my cluster. For now, I simply want to test collecting data from a single app server. What does the workflow look like for this task? Conceptually, I think I should setup my main Splunk server as a deployment server, configure a deployment class, install Splunk on the application server, configure it as a light forwarder and point it back at the main Splunk server and then assign the correct deployment class to the forwarder. Is this correct?

If someone would confirm that these are the correct steps (or, if they are wrong, provide the right steps) and then offer a semi-detailed run-down of what it takes to get this setup running, I would be very grateful.

Thank you.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Look at this: http://www.splunk.com/wiki/Deploying_Splunk_Light_Forwarders and then, yes, make sure you set the forwarders to point back to your main instance (or whatever instance you will be using as a Deployment Server). In this case, you just need the one server class that will enable the SplunkLightForwarder app, and push out an app (or apps) that configure the indexer target and the inputs.

0 Karma

jrodman
Splunk Employee
Splunk Employee

That would work. You can cause the deployment class to incorporate the turn-on-light-forwarder-app if that makes sense to you.

Some people seem to choose their mass-msi-rollout tools to manage splunk in an ongoing fashion, but I'm not an expert in that world.

0 Karma
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...