https://community.splunk.com/t5/Security/How-to-send-data-to-Splunk-clsuters-from-Windows-without-UF/m-p/688749#M17888 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/54383">@payl_chdhry</a>&nbsp;,</P><P>good for you, see next time!</P><P>Ciao and happy splunking</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Mon, 27 May 2024 06:27:00 GMT gcusello 2024-05-27T06:27:00Z https://community.splunk.com/t5/Security/How-to-send-data-to-Splunk-clsuters-from-Windows-without-UF/m-p/553296#M12245 <P>Hi,</P><P>I am new to working without splunk agents/universal forwards for ingesting data into Splunk. I need to know how application can send data to Splunk indexer/HF, is there exact step provided.</P><P>&nbsp;</P><P>Would it via HEC or by TCP port. And how could users set this up in this way to continuously send data.</P><P>&nbsp;</P><P>Thanks!</P> Thu, 27 May 2021 09:57:33 GMT https://community.splunk.com/t5/Security/How-to-send-data-to-Splunk-clsuters-from-Windows-without-UF/m-p/553296#M12245 payl_chdhry 2021-05-27T09:57:33Z https://community.splunk.com/t5/Security/How-to-send-data-to-Splunk-clsuters-from-Windows-without-UF/m-p/553301#M12246 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/54383">@payl_chdhry</a>,</P><P>you could use WMI to query Windows hosts and take logs, but I don't like this solution because you have to use an account with administrative privileges.</P><P>For more infos see&nbsp; at&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/latest/Data/ConsiderationsfordecidinghowtomonitorWindowsdata" target="_blank">https://docs.splunk.com/Documentation/Splunk/latest/Data/ConsiderationsfordecidinghowtomonitorWindowsdata</A>&nbsp;and <A href="https://docs.splunk.com/Documentation/Splunk/8.2.0/Data/MonitorWMIdata" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.2.0/Data/MonitorWMIdata</A> .</P><P>I hint to use everytime Universal Forwarders because this permits to you to:</P><UL><LI>filter unwanted logs on UF,</LI><LI>compress transmitted logs,</LI><LI>condifure max bandwidth occupation,</LI><LI>&nbsp;cash logs if there are problems on Indexers or Network.</LI></UL><P>If you want to use WMI put this input in a dedicated Heavy Forwarder.</P><P>In addition you don't have HA because you have to configure only one HF at a time to vaoid to take logs twice.</P><P>Ciao.</P><P>Giuseppe</P> Thu, 27 May 2021 10:28:14 GMT https://community.splunk.com/t5/Security/How-to-send-data-to-Splunk-clsuters-from-Windows-without-UF/m-p/553301#M12246 gcusello 2021-05-27T10:28:14Z https://community.splunk.com/t5/Security/How-to-send-data-to-Splunk-clsuters-from-Windows-without-UF/m-p/553677#M12257 <P>Thanks&nbsp;<SPAN>gcusello! We do not want to pull the logs, windows team would send the logs to us and they will take care of filtering out data if required. I am looking at enabling HEC on our Heavy forwards. I will create another question for this as I am a bit confused how it will work for clustered environment.</SPAN></P><P>&nbsp;</P><P><SPAN>Thanks,</SPAN></P><P><SPAN>Payal</SPAN></P> Mon, 31 May 2021 05:25:11 GMT https://community.splunk.com/t5/Security/How-to-send-data-to-Splunk-clsuters-from-Windows-without-UF/m-p/553677#M12257 payl_chdhry 2021-05-31T05:25:11Z https://community.splunk.com/t5/Security/How-to-send-data-to-Splunk-clsuters-from-Windows-without-UF/m-p/553679#M12259 <P>HI&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/54383">@payl_chdhry</a>,</P><P>If you use HEC, you could put a Load Balancer in front of two Heavy Forwarders, so it distribute logs betweeen&nbsp; the HFs and manage fail over and in this way you have an HA system to take logs from that UFs.</P><P>You could also use Indexers to take HEC logs but you need anyway a Load Balancer.</P><P>If you haven't a Load balancer, you can use a DNS configuration but it's less performant and in case of fail over, you lose the first logs.</P><P>At the end I hint to think again to your solution and take in consideration Universal Forwarders.</P><P>Ciao.</P><P>Giuseppe</P> Mon, 31 May 2021 06:15:04 GMT https://community.splunk.com/t5/Security/How-to-send-data-to-Splunk-clsuters-from-Windows-without-UF/m-p/553679#M12259 gcusello 2021-05-31T06:15:04Z https://community.splunk.com/t5/Security/How-to-send-data-to-Splunk-clsuters-from-Windows-without-UF/m-p/688749#M17888 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/54383">@payl_chdhry</a>&nbsp;,</P><P>good for you, see next time!</P><P>Ciao and happy splunking</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Mon, 27 May 2024 06:27:00 GMT https://community.splunk.com/t5/Security/How-to-send-data-to-Splunk-clsuters-from-Windows-without-UF/m-p/688749#M17888 gcusello 2024-05-27T06:27:00Z