topic Re: Forwarder Data Input recommendations for Windows servers - different roles in Getting Data In

Forwarder Data Input recommendations for Windows servers - different roles

oneashraf — Wed, 08 Dec 2010 05:37:59 GMT

Best recomended practices - Data Input config for Windows servers with the following roles IIS - SQL - Domain Controllers - Sharepoint - Exchnage

Re: Forwarder Data Input recommendations for Windows servers - different roles

mayler — Wed, 08 Dec 2010 06:22:40 GMT

I'm going to assume you are using some type of log forwarder to send these logs to splunk. I am using Snare on my windows servers. It allows me to tell it to send logs on any port I choose. For my DHCP Server, I'm having it send logs to splunk using port 516. On Splunk, I've configured a Data Input, UDP port 516, SourceType: from list, Windows Snare Syslog.

It formats it perfectly. I guess you could do that for each Server.

Re: Forwarder Data Input recommendations for Windows servers - different roles

marcoscala — Thu, 30 May 2013 07:24:47 GMT

Snare si fine, but I do recommend, whenever is possible, to use a Universal Forwarder on the Windows servers to send logs to Splunk indexers, because you can take advantage of Forwarder's functionality like load balancing, consistency of logs sent in case of communication failures or in the indexer is down, just to mention some.
Moreover, using a forwarder, you have native recognition of events coming from WinEventlog.

Re: Forwarder Data Input recommendations for Windows servers - different roles

barakreeves — Fri, 31 May 2013 19:46:05 GMT

I agree with the comments so far. I just want to expand just a little more.

install the Universal Forwarder on the target Windows machines
Install the Windows app and see how much milage that gets you in monitoring the rest; also look at the Exchange and SQL apps as well Browse the aforementioned apps directory structure explore such things as the inputs and savedsearches conf files to see how all this is working behind the scenes. Feel free to copy and paste these searches in the search bar and modify/tweak to gain additional insights into your data.

For more fine tuning, consider this:
- the application inputs SQL, IIS, Exchange, etc can get real chatty...that's both good and bad. Here is my suggestion on this:
Create a test-msft index and send your data from a couple of servers to that index for a couple of days. What you are looking for is what data is mere noise vs insights. You create a test index so that once you get the data you like coming in, you point it to either your default index or another index; afterwards, delete the test index. (this is a common practice for me)

Install the Deployment Monitor and the SoS apps to monitor what you will be doing next.

Grooming your data:

This will be done using the inputs.conf file one each forwarder. Here's the link: http://docs.splunk.com/Documentation/Splunk/5.0.3/admin/Inputsconf

If you feel the need to throttle the amount of data being indexed, add information to the "whitelist" and "blacklist" sections. This restricts/ allows what data will be forwarded to the indexer.