topic Re: Forwarding logs from Windows Event Collector in All Apps and Add-ons

Forwarding logs from Windows Event Collector

paxos — Mon, 08 May 2017 10:59:19 GMT

Is it possible to forward collected logs from a Windows Event Collector (WEC) server, i.e. from the Windows service that remotely collects logs from other windows servers, such that the logs are compatible with "Splunk App for Windows Infrastructure" ?

I imagaine that at a minimum this would require "transforming" the default fields of host, source, sourcetype to meaningful values rather than the values that WEC uses. Would this then allow the events to be processed by the "Splunk Add-On for Windows" ?

I know that the recommended method is to use a Universal Forwarder on all servers, or alternatively WMI, but as WEC has been around for a long time I am surprised there is no mention of it here ...
http://docs.splunk.com/Documentation/Splunk/6.6.0/Data/AboutWindowsdataandSplunk

Any information about anybody's experiences is much appreciated.

Re: Forwarding logs from Windows Event Collector

adonio — Tue, 09 May 2017 02:04:47 GMT

hello paxos,
I must ask, why not use the Universal Forwarder?

Re: Forwarding logs from Windows Event Collector

paxos — Tue, 09 May 2017 05:25:55 GMT

There are a couple of reasons I am trying to avoid that:
a) the logs are already collected (for another purpose) from the clients on a Windows Event Collector server using the inbuilt Windows Event Forwarding. Collecting them again using a Universal Forwarder would just be doubling the load on those clients and "duplicating" the traffic.
b) to avoid the administrative and cost overhead in organising the installation and update of the Forwarder in an environment managed by an outsourced provider.

Re: Forwarding logs from Windows Event Collector

mikaelbje — Tue, 09 May 2017 06:01:53 GMT

Hi,

Don't use Windows Event Collector
Did you know that the event collector buffers events (tuning the buffers isn't an optimal solution either), adding a delay before Splunk receives the event. You may end up getting events a long time after they were generated
Listen to me, don't use it. I've implemented solutions for several customers using WEC and it was just a waste of time
Ok, you're persistent. See my answer on how to do it here: https://answers.splunk.com/answers/213603/wineventlogforwardedevents-override.html#answer-330822
Ok, there may be a few good reasons to use WEC - such as preventing Splunk Forwarder from eating up all CPU and RAM because of poorly written runaway scripts. You may choose not to use those scripts. GOTO 1

Mikael

Re: Forwarding logs from Windows Event Collector

paxos — Tue, 09 May 2017 16:01:46 GMT

Thanks. Just what I was looking for.

Re: Forwarding logs from Windows Event Collector

dillardo_2 — Wed, 21 Aug 2019 20:49:52 GMT

Hi @mikaelbje, what would you recommend instead of using Windows Event Collectors? Is the alternative simply installing a universal forwarder on every endpoint?

Re: Forwarding logs from Windows Event Collector

itrimble1 — Thu, 22 Aug 2019 16:40:01 GMT

What did you end up going with ?

Re: Forwarding logs from Windows Event Collector

dillardo_2 — Thu, 22 Aug 2019 16:51:49 GMT

@mikaelbje

Re: Forwarding logs from Windows Event Collector

bharrell — Sat, 01 Aug 2020 02:11:33 GMT

I would also like to know what's recommended. Are people really installing Splunk Universal Forwarder on every endpoint? Thanks.

Re: Forwarding logs from Windows Event Collector

engrimranzakir — Thu, 30 Dec 2021 10:45:13 GMT

any other method to collect logs other than wec.