#SPLUNK UNIVERSAL FORWARDER WINDOWS EVENT LOGS WINDOWS#
Windows native Event Collection (aka WEC or WEF) is awesome for getting those security logs on to one Windows event collector with zero-touch or agent installation on those thousands of source computers. Are you already using WEC and Splunk and would like to share your tips and lessons learned?.Would you like to monitor more Windows systems with Splunk but lack the budget for the increased indexing?.Are you thinking of using native Windows Event Collection to improve and simplify getting those logs into Splunk with many Universal Forwarders and/or configuring them and the source computers for remote collection?.Most of you have thousands of Windows systems. As mentioned, the clients configured to send directly to the the Indexer are sending WinEventLogs and also this Deployment managed client is showing as connected to both Deployment and Indexer in the splunkd.Integrating Splunk with native Windows Event Collection (WEC) and Optional 2-Stage Noise Filtering Webinar This is a flat network and there is no firewall in place blocking ports. What is wrong with this setup? The instructions on the above link were pretty clear on what should be configured and placed where but the SplunkForwarder is not sending any of the WinEventLogs. The splunkd.log on the client shows that it is Connected to the active indexer and also performing phonehome on port 8089 to the Deployment server. The client shows that it is “Phoning Home” but it does not send any data to the Splunk Indexer. I clicked “Next” on the “Receiving Indexer” dialog as instructed. I have installed the Universal Forwarder on a single Windows workstation configured to connect only to the Deployment Server. I have created an “nf” file and placed it in the “Splunk_TA_windows\default” directory with the WinEventLog for Application, Security, and System all set to “disabled = 0”. I have created an “nf” file and placed it in “sendtoindexer\local\nf” with the indexer IP configured for tcpout. I have created a Server Class for both Apps. I have also brought in the 8.5.0 “Splunk Add-on for Microsoft Windows” and configured a “Splunk_TA_windows” App. I have created a “send to indexer” app and setup the deployment server. I have installed and configured the Splunk Indexer, including all indexes we intend to use for our various devices. The Deployment Server Forwarder Management has been setup following the “How to deploy Splunk App for Windows Infrastructure” Instructions ( ) I have learned that the TA-Windows App for SplunkForwarder should resolve this. The Account Name field is tied to both the user and the computer and they aren’t being tagged as we were in our old 8.2.1 version as “user”. For example, we can no longer do queries for “user” on Account names, as we had done in our previously deployed Splunk environment.
The data is coming over in a difficult to filter manner. This is working well however the event logs are conducive to the dashboards our security team has setup.
Initially I deployed all Windows clients with the SplunkForwarder to send directly to the indexer all WinEventLogs for Application, System, and Security. We have deployed a Splunk 9.0.1 server with SplunkForwarder 9.0.1 Windows Clients.
I have opened a Support Case with Splunk for this issue but I thought maybe I'd see if someone on here has run into this issue before and found a resolution or can point me in the right direction.
0 kommentar(er)
