Am a newbie to splunk, I am able to install splunk but i am not able to understand forwarders and where and how to use them.
e.g : 192.168.0.1 [Splunk Server running on Linux]
192.168.0.2 [ Apache running and MySQL ]
192.168.0.3 [ Syslog-ng server]
How to setup splunk so that it can monitor apache/mySQL and other services log and also the syslog. If you have any step-by-step doc please share it across, I read documentation but i didnt able to setup.
My second question is, do i need to install splunk-forwader in 192.168.0.2 and 3 so that the splunk server can talk to them? and where we need forwader and why. If i need to install splunk-forwader then how to configure it.
I know am asking silly question may be,but sorry am not able to follow the documentation.
Your help will be appreciated.
It sounds like you've got a splunk indexer running on 192.168.0.1, and you want to install splunk forwarders at 192.168.0.2 and 192.168.0.3.
The first thing that you'd need to do would be to enable recieving on your splunk indexer. To do that, follow these instructions:
Set up receiving You enable receiving on a Splunk instance through Splunk Web or the CLI.  Set up receiving with Splunk Web Use Splunk Manager to set up a receiver: 1. Log into Splunk Web as admin on the server that will be receiving data from a forwarder. 2. Click the Manager link in the upper right corner. 3. Select Forwarding and receiving in the Data area. 4. Click Add new in the Receive data section. 5. Specify which TCP port you want the receiver to listen on (the listening port). For example, if you enter "9997," the receiver will receive data on port 9997. By convention, receivers listen on port 9997, but you can specify any unused port. You can use a tool like netstat to determine what ports are available on your system. Make sure the port you select is not in use by splunkweb or splunkd. 6. Click Save. You must restart Splunk to complete the process.  Set up receiving with Splunk CLI To access the CLI, first navigate to $SPLUNK_HOME/bin/. This is unnecessary if you have added Splunk to your path. To enable receiving, enter: ./splunk enable listen <port> -auth <username>:<password> For <port>, substitute the port you want the receiver to listen on (the listening port). For example, if you enter "9997," the receiver will receive data on port 9997. By convention, receivers listen on port 9997, but you can specify any unused port. You can use a tool like netstat to determine what ports are available on your system. Make sure the port you select is not in use by splunkweb or splunkd.
Once you've configured the Receiver, it is time to configure your forwarders. You'll want to use the Universal Forwarder. The package needs to be installed on both 192.168.0.2 and 3, because a universal forwarder only forwards data from the place it is installed.
You'll also need to setup your inputs.conf file to monitor the folders or directories that you are interested in getting data from.
The instructions for deploying a universal forwarder are here:
This gives you a step by step procedure, so if things aren't working well, you'll need to explain what is wrong.
For information on what to configure in inputs.conf, see
Specifically, look at the bottom of the spec file for the example and then, if needed, you can go back up to reference particular settings to determine if they may be applicable to your Splunk instance.
I hope this information is helpful.
Thanks i have solved the issue, it was issue with the indexer settings.
Now i need to configure the forwarder so that it can send the pacct log to my splunk server. I tried configure the same in the inputs.conf file in the forwarder but no luck.
You should be able to set up the inputs.conf file in a similar manner on the forwarder. If you look on the forwarder in $SPLUNK_HOME/var/log/splunk/ and search for the path to the input you created, you may see some data indicating what is happening.
If you found the answer acceptable, please click on the checkbox to accept it as being valid.
I have added [monitor:///var/log/acct] in the forwader inputs.conf file, everything seems working apart from loggint the psacct, i have configured psacct and the file where its logging in all the info is "acct" file. Am i doing something wrong in the configuration. As your suggestion i was looking into the log files, but not able to trace something related to psacct. Please help.
From $SPLUNK_HOME/bin/ you can run the command 'splunk _internal call /services/admin/inputstatus/TailingProcessor:FileStatus >> filestatus.txt' This should tell you what the status of the input is, and which files have been read or not read.