Good Afternoon,
I'm new to splunk - I've pulled a copy of the demo software and have question concerning forwarders
- Are forwarders required to be installed on each device supplying logs or can one central forwarder "receive" logs from multiple devices (i.e. windows, linux, cisco switches)?
I want to setup a raspberry pi to receive logs from a few low use windows boxes, and linux boxes, possibly a switch or two.
Thanks in advance
John Bond
Forwarders should be as close to the data as possible. For Windows and Linux machines that usually means installing a forwarder directly on the box.
For appliances and other devices that can't run a forwarder, they should send their logs to a forwarder on another box. If that involves syslog, send the data to a dedicated syslog server (syslog-ng, rsyslog, SC4S) and forward from there to Splunk.