Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Is it possible to install Splunk Light on log server?

rpholt
Engager
‎06-02-2017 08:08 AM

Still a bit of a Splunk newbie here. Is it possible to install the Splunk Light indexer locally on a log server and have it index from there? If not, can Splunk Enterprise do this? Can't seem to find a definitive answer on the web.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rpholt
Engager
‎06-02-2017 10:24 AM

Hey Rich,

Thanks for your answer. I think I figured it out. All I'm trying to do is get splunk to monitor local files (/var/log/syslog) on the local machine. That local machine is our syslog server that is receiving logs from the network. Hope that makes sense. In the past we had splunk set up as it's own VM and was getting the logs forwarded from the log server. Now they're both on the same physical hardware. I was just making it more complicated in my head I think. Thanks again.

View solution in original post

Reply
Solved! Jump to solution
Solution

rpholt
Engager
‎06-02-2017 10:24 AM

Hey Rich,

Thanks for your answer. I think I figured it out. All I'm trying to do is get splunk to monitor local files (/var/log/syslog) on the local machine. That local machine is our syslog server that is receiving logs from the network. Hope that makes sense. In the past we had splunk set up as it's own VM and was getting the logs forwarded from the log server. Now they're both on the same physical hardware. I was just making it more complicated in my head I think. Thanks again.

Reply
Solved! Jump to solution

Richfez
SplunkTrust
SplunkTrust
‎07-16-2017 11:55 AM

I converted your comment to an answer and Accepted it for you. I think it's an answer someone else may find useful, and this way you get a bit of karma, too!

(While we don't recommend the "ask a question then accept your own answer" approach for everything, it's totally fine when appropriate and I think it's totally appropriate here).

0 Karma
Reply
Solved! Jump to solution

Richfez
SplunkTrust
SplunkTrust
‎06-02-2017 10:06 AM

"Have it index from there" sounds like you want something that will take log files local to system X and send those to your Splunk server? My apologies if this is not the case, but if it is...

You will want the Universal Forwarder. You can install it on that local system and have it send all of the logs it gets configured to read over to the indexer. The instructions for installing on Windows is at this location and the instructions for other operating systems is linked in there too, click around a bit and you'll find them if you need them.

The only option I think you need to concern yourself with on the UF is the "Receiving Indexer" option, which you'll want to set to your Splunk server.

Which means you have to set up receiving on the indexer, too. That's in this set of documentation and is really easy.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...