Hopefully this will help others take alot of surfing for answers out of this simple procedure: Download UF http://www.splunk.com/download/universalforwarder Install UF rpm -Uvh splunkforwarder-5.0.2-149561.i386.rpm Download Tech Add On http://splunk-base.splunk.com/apps/33800/splunk-add-on-for-unix-and-linux Configure TA cd $SPLUNK_HOME/etc/apps/ tar xzvf $TMP/Splunk_TA_nix-4.7.0-156739.tgz mkdir $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local cp $SPLUNK_HOME/etc/apps/Splunk_TA_nix/default/inputs.conf $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/. vi $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/inputs.conf chown -R splunk.splunk $SPLUNK_HOME/etc/apps/Splunk_TA_nix Configure UF $SPLUNK_HOME/bin/splunk edit user admin -password 'skcorknulps' -role admin -auth admin:changeme $SPLUNK_HOME/bin/splunk add forward-server hostname:9997 $SPLUNK_HOME/bin/splunk/start Verify UF $SPLUNK_HOME/bin/splunk list forward-server Username = admin Passwd = skcorknulps Also helpful to check web interface to verify: App-> *Nix-4.6 -> Configs -> Hardware Configurations by Host NOTES: No firewall changes needed on clients running UF. Must open 9997/TCP on server (unless using a non standard port). Example iptables rule: RHEL5: -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s ip.of.client.here --dport 9997 -j ACCEPT RHEL6: -INPUT -m state --state NEW -m tcp -p tcp -s ip.of.client.here --dport 9997 -j ACCEPT ... View more