As mentioned from previous blogs, the third way on getting data into a Splunk instance is using a Splunk forwarder. A forwarder, is an interface allowing system to forward logs or data into a Splunk instance that is installed in a different computer. It can be forwarding from one Splunk instance to another Splunk instance, or from a non-Splunk system to a Splunk instance from another computer.
There are three type of forwarders in Splunk:
Type of Forwarder;;;Description;nn;
universal forwarder ;;;contains only the components that are necessary to forward data.;nn;
heavy forwarder;;;a full Splunk Enterprise instance that can index, search, and change data as well as forward it. The heavy forwarder has some features disabled to reduce system resource usage.;nn;
light forwarder ;;;is also a full Splunk Enterprise instance, with more features disabled to achieve as small a resource footprint as possible. The light forwarder has been deprecated as of Splunk Enterprise version 6.0. The universal forwarder supersedes the light forwarder for nearly all purposes and represents the best tool for sending data to indexers.;nn;
In my next to blogs, I will go through how to setup those forwarder. However, as it will need to go across few different systems, I will recommend to use virtual machine .
You may refer to my previous blogs for instruction of how to install a virtual machine.