Should this add-on be installed on my linux forwarder machines in addition to the main Splunk server?
Have a look at this detailed post about Installation and Configuration
https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration
Thanks very much for the question @ajhstn. I've updated the documentation to explicitly indicate that neither app should be installed on universal forwarders. Installing the TA on universal forwarders won't cause a problem, but there's no benefit in doing so.
Thank you @doksu 🙂
Have a look at this detailed post about Installation and Configuration
https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration