I did this.
On Splunk server (receiver) Download/install Splunk TA for Unix and Linux to the Splunk server (receiver) and enabled it by going to Manager|Apps|Enable
On host you want to collect data from (sender) Download and install the Splunk Universal Forwarder to the Linux host – the assumption is made that this configured and sending data to Splunk, in brief it consisted of the following for RHEL6
Install rpm -ivh splunkforwarder-4.3.3-128297-linux-2.6-x86_64.rpm
Create init.d start-up script /opt/splunkforwarder/bin/splunk enable boot-start
Enable start-up at boot chkconfig splunk on
Open firewall port tcp 9997 iptables -I INPUT 4 -p tcp –dport 9997 -j ACCEPT
Copy the default inputs.conf file from $SPLUNK_HOME/splunkforwarder/etc/system/default to $SPLUNK_HOME/splunkforwarder/etc/system/local, check UID/GUIDs are splunk:splunk
Next edit the inputs.conf file located in $SPLUNK_HOME/splunkforwarder/etc/system/local to get something basic set-up.
[default] host = mysender.local
[monitor:///var/log/secure]
disabled = false
Start the splunkforwarder service start splunk or /etc/init.d/splunk start
Tell Splunk that it now has a new sender /opt/splunkforwarder/bin/splunk add forward-server mysender.local:9997
You should be getting data in Splunk now.
Now download and manually install Splunk Technology Add-on (TA) for Unix and Linux onto the host to collect data from (sender), it will end up here: $SPLUNK_HOME/splunkforwarder/etc/apps/Splunk_TA_nix
Copy the default inputs.conf file from $SPLUNK_HOME/splunkforwarder/etc/Splunk_TA_nix/default/inputs.conf to $SPLUNK_HOME/splunkforwarder/etc/apps/Splunk_TA_nix/local/
I had to create the “local” directory, also check UID/GUIDs are splunk:splunk
cp /opt/splunkforwarder/etc/apps/Splunk_TA_nix/default/inputs.conf /opt/splunkforwarder/etc/apps/Splunk_TA_nix/local/
Next edit the inputs.conf file located in /opt/splunkforwarder/etc/apps/Splunk_TA_nix/local/ and enable items you wish to monitor by setting the “disabled” attribute to “false” and then restart splunkforwarder.
