Hopefully this will help others take alot of surfing for answers out of this simple procedure:
Download UF http://www.splunk.com/download/universalforwarder
Install UF
rpm -Uvh splunkforwarder-5.0.2-149561.i386.rpm
Download Tech Add On http://splunk-base.splunk.com/apps/33800/splunk-add-on-for-unix-and-linux
Configure TA
cd $SPLUNK_HOME/etc/apps/
tar xzvf $TMP/Splunk_TA_nix-4.7.0-156739.tgz
mkdir $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local
cp $SPLUNK_HOME/etc/apps/Splunk_TA_nix/default/inputs.conf $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/.
vi $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/inputs.conf
chown -R splunk.splunk $SPLUNK_HOME/etc/apps/Splunk_TA_nix
Configure UF
$SPLUNK_HOME/bin/splunk edit user admin -password 'skcorknulps' -role admin -auth admin:changeme
$SPLUNK_HOME/bin/splunk add forward-server hostname:9997
$SPLUNK_HOME/bin/splunk/start
Verify UF
$SPLUNK_HOME/bin/splunk list forward-server
Username = admin
Passwd = skcorknulps
Also helpful to check web interface to verify: App-> *Nix-4.6 -> Configs -> Hardware Configurations by Host
NOTES: No firewall changes needed on clients running UF. Must open 9997/TCP on server (unless using a non standard port). Example iptables rule:
RHEL5:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s ip.of.client.here --dport 9997 -j ACCEPT
RHEL6:
-INPUT -m state --state NEW -m tcp -p tcp -s ip.of.client.here --dport 9997 -j ACCEPT
... View more