I'm setting up a server with both splunk-server and splunk-universal-forwarder.
When I try to enable the splunk-server service at boot time with this command:
sudo /opt/splunk/bin/splunk enable boot-start -user root
everything is ok and the /etc/init.d/splunk file is created
But when I try to enable the splunk-universal-forwarder service at boot time, I got this output:
sudo /opt/splunkforwarder/bin/splunk enable boot-start -user root System start/stop links for /etc/init.d/splunk already exist. Init script installed at /etc/init.d/splunk. Init script is configured to run at boot.
And the existing /etc/init.d/splunk file is replaced by the new one.
So in the end, I can only enable one service at a time but I'd like to enable both of them of course.
Thanking you in advance for your help
You cannot and do not need universal forwarder and full instance on the same server.
The full instance can provide full forwarder functionality, so you can use it to collect whatever you need.
Just configure inputs\props or forwarder apps like you would do with universal forwarder.
I believe the Splunk Enterprise holds a Heavy Forwarder but not a Universal one. So maybe @vincent_deygas can you the Heavy Forwarder instead...
Hello, I am new to using this software and just installed Splunk Enterprise and want to monitor events logs from Windows hosts on the network. My question is, is it necessary to install the Universal Forwarder to make this happen? There is a ton of documents out there but it can be very confusing especially when new to the software. Any help would be greatly appreciated.
The universal forwarder is acting as an "agnet", it's just collecting local data (events) , and moving them forward to full splunk instance.
You would need 1 splunk full instance and a universal forwarder on each of the desired windows servers (which you want events from)
thanks for the response ahudb. I have Windows clients that I would like to collect event logs from, If I have a full instance of Splunk Enterprise running on one server, do I need to install the Universal Forwarder on the Splunk Server?
You do not need to install Universal Forwarder on the Splunk server, but you do need to install it on each Windows client.
Is there a way to push the universal forwarder out to all clients using Splunk Web? What is the most proficient way to do this?
No, the Splunk deployment server can be used to manage universal forwarder configuration but you will need to use a form of automation to install the Splunk universal forwarder on your various endpoints.
Interesting thing. For some reason both commands attempt to create the
/etc/init.d/splunk file. Looks like a bug ; -)