I have a RHEL6 VM that has a splunk server installed on it, and about 30 clients of various OS types.
Is it necessary/best practice to install a universal forwarder on the server itself?
My security officer says the server does not show up on her dashboard. To me, it seems the server would include the software needed to monitor itself; it wouldn't be necessary to install a universal forwarder on a server.
No, the universal forwarder is like a light server, you splunk server can forwarder and analise on his own.