Are splunk forwarders installed on every machine that generates log?

Question

I am trying to understand the splunk architecture and am confused by the articles on the topic.

I understand that forwarders retrieve information from the physical log files and forward those to indexers but what I don't understand is how forwarders achieve this.

More specifically:

1. Do you need to install a forwarder onto every machine, virtual or physical, which generates log files which can push this information to the indexers or can there be a central forwarder which can connect to various application hosts and pull in the log information to forward to indexers or are both options available?

Any feedback would be greatly appreciated.

Thanks,

Bob

Answer 1

It can be done either way. Best Practice is to put a forwarder as close to the source of the data as possible. That would mean installing a UF on the machine from which logs will be indexed. This usually is the simplest method.

One can use a central forwarder that collects logs from several hosts. Care should be taken to ensure the correct host name is associated with each log.