Hi ferdie,
For this purpose, the only relevant ports open by default on the Splunk Light instance are 8000 for the Web interface and 8089 for the management port. These can be changed during Splunk start up if the ports are already taken. To get a Forwarder connected to send data to a Splunk Light instance AND under the control of the Splunk Light instance, you need to do a couple of things.
Open a port on the Splunk Light instance to listen for data from the forwarder. You can do this via the Splunk Light UI in the Data, Receiving section. Let's say you select 9997.
On the Forwarder, tell it where to send data. You can do this from the CLI by using
splunk add forward-server 10.0.0.2:9997
Where 10.0.0.2 is the address of your Splunk Light server and 9997 is the port you opened to listen. On the forwarder, you will be asked to authenticate locally and if you have not changed the password, the default is admin/changeme.
On the Forwarder, tell it you want to control the Forwarder from the Splunk Light instance. Use:
splunk set deploy-poll 10.0.0.2:8089
Note that data goes to one port (9997) and management is done through another port (8089). You will also be asked to authenticate again locally to the Forwarder with the default admin/changme.
You should now see the Forwarder in the Add Data, Forwarded inputs section on the Splunk Light instance.
... View more