This guide describes the installation process for a Splunk infrastructure comprised of a Splunk Enterprise instance as indexer and a Splunk Forwarder node, as well as the Wazuh app for Splunk.
These are the two main components in a common Splunk simple distributed architecture:
Splunk Forwarder: This component runs on the Wazuh manager and Wazuh API instance, it reads local data and sends it to the Indexer. It will send alerts generated by Wazuh manager to a Splunk Indexer.
Splunk Indexer: This component runs the Splunk engine. It reads forwarded data, parses, indexes and stores it as events that contain alert data generated by Wazuh manager sent by the Forwarder instance.