Knowledge Management

Best way to set up Splunk as a receiver (Splunk protocol) and forwarder (Splunk protocol and syslog protocol)

zizzencs
New Member

I'm trying to set up a Splunk instance on linux that can do the following:

  • receive logs from windows universal forwarders
  • send some of the logs to our central Splunk server
  • send all logs to our central log archiving server via syslog protocol

The documentation says that "The syslog output processor is not available for universal or light forwarders." so I guess I'll have to use a Heavy Forwarder in this situation because of the 3rd requirement.

I tried to run the following commands:

yum install splunk
cd /opt/splunk/bin/
./splunk start
./splunk enable app SplunkForwarder
./splunk restart

This however didn't seem to disable the web user interface and the UI showed that some applications (e.g. search and splunk_datapreview) were still running.

Is there a way to create a "light" Heavy Forwarder that accomplishes only what I need without all those fancy features? If yes, how can it be done?

Tags (1)
0 Karma

Damien_Dallimor
Ultra Champion

You can disable Splunk Web using the CLI like this :

./splunk disable webserver
./splunk restart
0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...