I'm trying to set up a Splunk instance on linux that can do the following:
The documentation says that "The syslog output processor is not available for universal or light forwarders." so I guess I'll have to use a Heavy Forwarder in this situation because of the 3rd requirement.
I tried to run the following commands:
yum install splunk
cd /opt/splunk/bin/
./splunk start
./splunk enable app SplunkForwarder
./splunk restart
This however didn't seem to disable the web user interface and the UI showed that some applications (e.g. search and splunk_datapreview) were still running.
Is there a way to create a "light" Heavy Forwarder that accomplishes only what I need without all those fancy features? If yes, how can it be done?
You can disable Splunk Web using the CLI like this :
./splunk disable webserver
./splunk restart