Forwarders - are they required on each device pulling logs?

New Member

Good Afternoon,

I'm new to splunk - I've pulled a copy of the demo software and have question concerning forwarders

- Are forwarders required to be installed on each device supplying logs or can one central forwarder "receive" logs from multiple devices (i.e. windows, linux, cisco switches)?

I want to setup a raspberry pi to receive logs from a few low use windows boxes, and linux boxes, possibly a switch or two.


Thanks in advance


John Bond 

Labels (1)
Tags (1)
0 Karma


Forwarders should be as close to the data as possible.  For Windows and Linux machines that usually means installing a forwarder directly on the box. 

For appliances and other devices that can't run a forwarder, they should send their logs to a forwarder on another box.  If that involves syslog, send the data to a dedicated syslog server (syslog-ng, rsyslog, SC4S) and forward from there to Splunk.

If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...