All our many Unix servers are already set up to send syslog data to a central syslog server for archival. I have a Splunk forwarder installed on the central syslog server sending /var/log to Splunk. Now we are installing the Splunk forwarder on all the Unix servers and using the Splunk Add-on for Unix and Linux to send data into Splunk, which includes everything in /var/log. How do I configure things so as to not have duplicate entries (one from a server and one from the central syslog server) ending up in Splunk?
↧