Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Best way to set up Splunk as a receiver (Splunk protocol) and forwarder (Splunk protocol and syslog protocol)

zizzencs
New Member
‎08-06-2012 10:03 AM

I'm trying to set up a Splunk instance on linux that can do the following:

  • receive logs from windows universal forwarders
  • send some of the logs to our central Splunk server
  • send all logs to our central log archiving server via syslog protocol

The documentation says that "The syslog output processor is not available for universal or light forwarders." so I guess I'll have to use a Heavy Forwarder in this situation because of the 3rd requirement.

I tried to run the following commands:

yum install splunk
cd /opt/splunk/bin/
./splunk start
./splunk enable app SplunkForwarder
./splunk restart

This however didn't seem to disable the web user interface and the UI showed that some applications (e.g. search and splunk_datapreview) were still running.

Is there a way to create a "light" Heavy Forwarder that accomplishes only what I need without all those fancy features? If yes, how can it be done?

Tags (1)
0 Karma
Reply

Damien_Dallimor
Ultra Champion
‎08-06-2012 07:24 PM

You can disable Splunk Web using the CLI like this :

./splunk disable webserver
./splunk restart
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM & RUM | Upcoming Planned Maintenance

There will be planned maintenance of the streaming infrastructure for Splunk APM and Splunk RUM in the coming ...

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence   Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...