Getting Data In

Is it possible to install Splunk Light on log server?

Engager

Still a bit of a Splunk newbie here. Is it possible to install the Splunk Light indexer locally on a log server and have it index from there? If not, can Splunk Enterprise do this? Can't seem to find a definitive answer on the web.

0 Karma
1 Solution

Engager

Hey Rich,

Thanks for your answer. I think I figured it out. All I'm trying to do is get splunk to monitor local files (/var/log/syslog) on the local machine. That local machine is our syslog server that is receiving logs from the network. Hope that makes sense. In the past we had splunk set up as it's own VM and was getting the logs forwarded from the log server. Now they're both on the same physical hardware. I was just making it more complicated in my head I think. Thanks again.

View solution in original post

Engager

Hey Rich,

Thanks for your answer. I think I figured it out. All I'm trying to do is get splunk to monitor local files (/var/log/syslog) on the local machine. That local machine is our syslog server that is receiving logs from the network. Hope that makes sense. In the past we had splunk set up as it's own VM and was getting the logs forwarded from the log server. Now they're both on the same physical hardware. I was just making it more complicated in my head I think. Thanks again.

View solution in original post

SplunkTrust
SplunkTrust

I converted your comment to an answer and Accepted it for you. I think it's an answer someone else may find useful, and this way you get a bit of karma, too!

(While we don't recommend the "ask a question then accept your own answer" approach for everything, it's totally fine when appropriate and I think it's totally appropriate here).

0 Karma

SplunkTrust
SplunkTrust

"Have it index from there" sounds like you want something that will take log files local to system X and send those to your Splunk server? My apologies if this is not the case, but if it is...

You will want the Universal Forwarder. You can install it on that local system and have it send all of the logs it gets configured to read over to the indexer. The instructions for installing on Windows is at this location and the instructions for other operating systems is linked in there too, click around a bit and you'll find them if you need them.

The only option I think you need to concern yourself with on the UF is the "Receiving Indexer" option, which you'll want to set to your Splunk server.

Which means you have to set up receiving on the indexer, too. That's in this set of documentation and is really easy.