I would like to achieve the following: run Splunk on some Windows (2003, 2008, 2008R2) hosts and: send all event logs to a Splunk intermediate forwarder monitor some directories and send all logs from these directories to the same intermediate forwarder run Splunk on a Linux (RHEL6) host and: receive all logs from the Windows hosts forward all received logs to our central Splunk server forward all received logs to a syslog server as well. I feel awkward for not being able to set it up in a day... 😞 So on the Windows hosts the best option is to install and run Universal Forwarders. I set them up easily, no problem here. On the Linux host the first problem is to choose the appropriate forwarder type. The documentation states that syslog output is not available in Light and in Universal Forwarders so they are not viable candidates. This leaves me with a Heavy Forwarder. I deployed Splunk to our central repository and installed it from the .rpm file. I turned on the SplunkForwarder application and restarted Splunk. So far so good. At this stage I noticed that many of the features of Splunk are enabled, mainly: the web interface some applications: gettingstarted launcher learned search splunk_datapreview It also handles some databases: _audit _blocksignature _internal _thefishbucket history main summary Now, I don't really know why these are required and what these do. However, I can't seem to be able to disable them, their config file say in some cases that the app can't be disabled. Additionally, I have this message in scheduler.log every minute: 08-08-2012 17:59:18.838 +0200 ERROR SavedSplunker - Scheduler will not start searches for the next 60 seconds. The minimum free disk space (2000MB) reached for /opt/splunk/var/run/ splunk/dispatch. I know about this, but I really don't need/want searchers to run. All these observations led me to the question: is there a way to install a Splunk instance that has light footprint and still able to accomplish my goals? If yes, how can it be set up? Any advice/details/etc. is welcome. ... View more

I'm trying to set up a Splunk instance on linux that can do the following: receive logs from windows universal forwarders send some of the logs to our central Splunk server send all logs to our central log archiving server via syslog protocol The documentation says that "The syslog output processor is not available for universal or light forwarders." so I guess I'll have to use a Heavy Forwarder in this situation because of the 3rd requirement. I tried to run the following commands: yum install splunk cd /opt/splunk/bin/ ./splunk start ./splunk enable app SplunkForwarder ./splunk restart This however didn't seem to disable the web user interface and the UI showed that some applications (e.g. search and splunk_datapreview) were still running. Is there a way to create a "light" Heavy Forwarder that accomplishes only what I need without all those fancy features? If yes, how can it be done? ... View more