I've my cisco devices sending the logs to kiwi syslog server and writing them to several files, (ise,switches,asa...). I need to monitor and ingest the data. Which servers do I setup the monitoring on? I've 1 search,deployment,indexer,HF each.
On your Kiwi Syslog Server (which is writing Cisco logs to different files), install splunk universal forwarder and start monitoring those different file.
For different type of data parsing, you may need to install various Splunk apps/add-ons on Indexer OR Heavy Forwarder and Search Head.
thanks, but I'm trying to find out which one of my server will be more suitable or recommended to create the setup of the add data? I already have the UF on the syslog server and the cisco app and addon installed and my output.conf, but didn't find any doc about where to configure the add data setup.
