Splunk Forwarder Linux Setup
# Get splunk
wget -O splunkforwarder-7.2.1-be11b2c46e23-Linux-x86_64.tgz 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.2.1&product=universalforwarder&filename=splunkforwarder-7.2.1-be11b2c46e23-Linux-x86_64.tgz&wget=true'
sudo tar -xvzf splunkforwarder-7.2.1-be11b2c46e23-Linux-x86_64.tgz -C /opt
cd /opt/splunkforwarder/bin
# Start splunk forwarder
sudo ./splunk start --accept-license
sudo ./splunk enable boot-start
# Change the default password from changeme
sudo ./splunk edit user admin -password newp@$$w0rd -role admin -auth admin:changeme
# Add forward server (Where to send data)
sudo ./splunk add forward-server YourSplunkServer.com:9997 -auth admin:newp@$$w0rd
# Point to directory to monitor
sudo ./splunk add monitor /opt/log/www1/
Reference: https://www.splunk.com/en_us/resources/videos/splunk-education-getting-data-in-with-forwarders.html