https://community.splunk.com/t5/Getting-Data-In/What-is-the-best-practice-for-collecting-Windows-Event-Logs/m-p/264270#M50694 <P>Thanks for the reply adauria. Your response <EM>somewhat</EM> answers my question. </P> <P>One clarification, since WMI can be executed locally by the Splunk Universal Forwarder, my question leans more toward a performance best practice for collecting local event log data. </P> <P>The original subject of the query was more along those lines however a Splunk moderator changed the subject so it doesn't really reflect the type of information for which I'm looking.</P> <P>Basically, is the <CODE>WinEventLog</CODE> method of collecting event logs more or less efficient (in terms of system overhead) than using WMI and <CODE>event_log_file</CODE></P> <P>Thanks again</P> Sun, 12 Feb 2017 23:01:40 GMT arechenberg 2017-02-12T23:01:40Z https://community.splunk.com/t5/Getting-Data-In/What-is-the-best-practice-for-collecting-Windows-Event-Logs/m-p/264265#M50689 <P>Windows event logs can be gathered both via <CODE>WinEventLog</CODE> in <CODE>inputs.conf</CODE> and also via WMI and <CODE>event_log_file</CODE> in <CODE>wmi.conf</CODE></P> <P>Does anyone have a best practice for collecting Windows event logs? Which method incurs more of an overhead on the system?</P> <P>Thanks in advance.</P> <P>Cheers,<BR /> Andy</P> Mon, 30 Jan 2017 17:08:59 GMT https://community.splunk.com/t5/Getting-Data-In/What-is-the-best-practice-for-collecting-Windows-Event-Logs/m-p/264265#M50689 arechenberg 2017-01-30T17:08:59Z https://community.splunk.com/t5/Getting-Data-In/What-is-the-best-practice-for-collecting-Windows-Event-Logs/m-p/264266#M50690 <P>I usually prefer wineventlog using Splunk Add-on for Windows deployed using a Deployment Server<BR /> Bye.<BR /> Giuseppe </P> Mon, 30 Jan 2017 17:22:36 GMT https://community.splunk.com/t5/Getting-Data-In/What-is-the-best-practice-for-collecting-Windows-Event-Logs/m-p/264266#M50690 gcusello 2017-01-30T17:22:36Z https://community.splunk.com/t5/Getting-Data-In/What-is-the-best-practice-for-collecting-Windows-Event-Logs/m-p/264267#M50691 <P>Thanks for the response Giuseppe. Are you able to provide rationale for preferring this method over WMI?</P> Mon, 30 Jan 2017 18:10:23 GMT https://community.splunk.com/t5/Getting-Data-In/What-is-the-best-practice-for-collecting-Windows-Event-Logs/m-p/264267#M50691 arechenberg 2017-01-30T18:10:23Z https://community.splunk.com/t5/Getting-Data-In/What-is-the-best-practice-for-collecting-Windows-Event-Logs/m-p/264268#M50692 <P>Security and performance issues with wmi are pretty well documented on the internet - not Splunk's implementation, per se, but in general. Even if those aren't relevant in your deployment, most Splunk apps that rely on Windows event data are looking for it in the format gathered with the standard WinEventLog method. </P> <P>I will echo the previous reply and suggest that you use the standard Splunk Windows technical add on (TA) as the prefer method of collecting Windows data. WMI is best suited to situations were you cannot install a universal forwarder and you already have a WMI infrastructure in place. </P> <P>You can also think of it like this: WinEventLog is for collecting events locally generated on the host with the universal forwarder, while WMI can be used for remote event collection from Windows systems that can't install a forwarder for whatever reason. </P> Tue, 31 Jan 2017 12:27:54 GMT https://community.splunk.com/t5/Getting-Data-In/What-is-the-best-practice-for-collecting-Windows-Event-Logs/m-p/264268#M50692 adauria_splunk 2017-01-31T12:27:54Z https://community.splunk.com/t5/Getting-Data-In/What-is-the-best-practice-for-collecting-Windows-Event-Logs/m-p/264269#M50693 <P>@arechenberg - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post and upvote anything that was helpful. If no, please leave a comment with more feedback. Thanks.</P> Sun, 12 Feb 2017 07:22:45 GMT https://community.splunk.com/t5/Getting-Data-In/What-is-the-best-practice-for-collecting-Windows-Event-Logs/m-p/264269#M50693 aaraneta_splunk 2017-02-12T07:22:45Z https://community.splunk.com/t5/Getting-Data-In/What-is-the-best-practice-for-collecting-Windows-Event-Logs/m-p/264270#M50694 <P>Thanks for the reply adauria. Your response <EM>somewhat</EM> answers my question. </P> <P>One clarification, since WMI can be executed locally by the Splunk Universal Forwarder, my question leans more toward a performance best practice for collecting local event log data. </P> <P>The original subject of the query was more along those lines however a Splunk moderator changed the subject so it doesn't really reflect the type of information for which I'm looking.</P> <P>Basically, is the <CODE>WinEventLog</CODE> method of collecting event logs more or less efficient (in terms of system overhead) than using WMI and <CODE>event_log_file</CODE></P> <P>Thanks again</P> Sun, 12 Feb 2017 23:01:40 GMT https://community.splunk.com/t5/Getting-Data-In/What-is-the-best-practice-for-collecting-Windows-Event-Logs/m-p/264270#M50694 arechenberg 2017-02-12T23:01:40Z https://community.splunk.com/t5/Getting-Data-In/What-is-the-best-practice-for-collecting-Windows-Event-Logs/m-p/264271#M50695 <P>WinEventLog is almost always going to be preferred over WMI. The only advantage WMI has is that it supports remote event collection. On the local system running a Universal Forward, WinEventLog is going to be more efficient and provide events in a format compatible with more of apps that use it on Splunkbase. </P> <P>You should also consider using the Splunk Windows Technology Add-On (TA) for Windows event collection. This add on is a plug in to the Universal Forward that collect Windows events as well as other optional elements (e.g. perfmon counters, etc.). It uses the WinEventLog format. Again, besides the performance benefits of collecting events directly (as opposed to WMI, local or otherwise), it delivers events to your Splunk server(s) in a format compatibility with most of the Splunkbase apps that rely on Windows events. </P> Sun, 12 Feb 2017 23:31:56 GMT https://community.splunk.com/t5/Getting-Data-In/What-is-the-best-practice-for-collecting-Windows-Event-Logs/m-p/264271#M50695 adauria_splunk 2017-02-12T23:31:56Z https://community.splunk.com/t5/Getting-Data-In/What-is-the-best-practice-for-collecting-Windows-Event-Logs/m-p/264272#M50696 <P>I guess you are looking for this link - <A href="http://docs.splunk.com/Documentation/Splunk/latest/Data/ConsiderationsfordecidinghowtomonitorWindowsdata">http://docs.splunk.com/Documentation/Splunk/latest/Data/ConsiderationsfordecidinghowtomonitorWindowsdata</A> </P> Mon, 13 Feb 2017 05:53:22 GMT https://community.splunk.com/t5/Getting-Data-In/What-is-the-best-practice-for-collecting-Windows-Event-Logs/m-p/264272#M50696 satishsdange 2017-02-13T05:53:22Z https://community.splunk.com/t5/Getting-Data-In/What-is-the-best-practice-for-collecting-Windows-Event-Logs/m-p/264273#M50697 <P>Further supporting this point is the inclusion of this topic over in the docs within the <A href="https://docs.splunk.com/Documentation/Splunk/latest/Data/ConsiderationsfordecidinghowtomonitorWindowsdata">Considerations for deciding how to monitor remote Windows data</A> page. See the sections <A href="https://docs.splunk.com/Documentation/Splunk/latest/Data/ConsiderationsfordecidinghowtomonitorWindowsdata#Splunk_forwarders_versus_WMI">Splunk forwarders versus WMI</A> and <A href="https://docs.splunk.com/Documentation/Splunk/latest/Data/ConsiderationsfordecidinghowtomonitorWindowsdata#Use_a_forwarder_to_collect_remote_Windows_data">Use a forwarder to collect remote Windows data</A>.</P> Fri, 12 Apr 2019 20:30:20 GMT https://community.splunk.com/t5/Getting-Data-In/What-is-the-best-practice-for-collecting-Windows-Event-Logs/m-p/264273#M50697 sloshburch 2019-04-12T20:30:20Z