We need more information. How data will be ingested each day? How long will that data be retained? How much searching will the system perform? If you have a single indexer then there is no need for a Cluster Manager (f.k.a. Cluster Master) and the search head can serve as the License Manager on such a small system. If larger ingest amounts and for better search performance, multiple indexers may be needed, which call for a Cluster Manager. Syslog data should not sent directly to a Splunk process. Instead, send it to a dedicated syslog server (rsyslog or syslog-ng) and write it to disk. Have a Splunk Universal Forwarder monitor the disk and forward the data to the indexer(s).
... View more