https://community.splunk.com/t5/Getting-Data-In/Can-I-send-Windows-Event-Forwarded-events-direct-to-Splunk/m-p/370914#M67359 <P>While there are a variety of ways to accomplish this, it seems the most obvious is <A href="http://docs.splunk.com/Documentation/Splunk/7.1.0/Data/MonitorWMIdata">to use WMI</A>.</P> <P>While the UF is still faster and better, if you can't use the UF then using WMI can do a pretty good job of collecting data, especially from newer Windows machines (Windows ~8 and above I think?).</P> <P>You do have to use a Windows server with a full Splunk install on it to collect this data. If your Splunk installation is *nix, you could just stand up one Splunk HF on Windows to use for this purpose.</P> Mon, 07 May 2018 01:42:17 GMT Richfez 2018-05-07T01:42:17Z https://community.splunk.com/t5/Getting-Data-In/Can-I-send-Windows-Event-Forwarded-events-direct-to-Splunk/m-p/370912#M67357 <P>I heard a rumour that there was a Splunk Add-On that allowed it to act as a 'Windows Event Collector' Server, and so no need for a native Microsoft WEC Server. Is this true?</P> <P>I need to get events from a bunch of Windows 10 desktops and so look for options, if the above doesn't work I guess I will stand up a few WEC servers.</P> <P>And before anyone comments, no I can't use the Universal Forwarder because of contractual reasons.... Lets leave it at that!</P> Mon, 30 Apr 2018 12:47:17 GMT https://community.splunk.com/t5/Getting-Data-In/Can-I-send-Windows-Event-Forwarded-events-direct-to-Splunk/m-p/370912#M67357 port7 2018-04-30T12:47:17Z https://community.splunk.com/t5/Getting-Data-In/Can-I-send-Windows-Event-Forwarded-events-direct-to-Splunk/m-p/370913#M67358 <P>You can try <CODE>snare</CODE>.</P> Mon, 30 Apr 2018 13:05:53 GMT https://community.splunk.com/t5/Getting-Data-In/Can-I-send-Windows-Event-Forwarded-events-direct-to-Splunk/m-p/370913#M67358 woodcock 2018-04-30T13:05:53Z https://community.splunk.com/t5/Getting-Data-In/Can-I-send-Windows-Event-Forwarded-events-direct-to-Splunk/m-p/370914#M67359 <P>While there are a variety of ways to accomplish this, it seems the most obvious is <A href="http://docs.splunk.com/Documentation/Splunk/7.1.0/Data/MonitorWMIdata">to use WMI</A>.</P> <P>While the UF is still faster and better, if you can't use the UF then using WMI can do a pretty good job of collecting data, especially from newer Windows machines (Windows ~8 and above I think?).</P> <P>You do have to use a Windows server with a full Splunk install on it to collect this data. If your Splunk installation is *nix, you could just stand up one Splunk HF on Windows to use for this purpose.</P> Mon, 07 May 2018 01:42:17 GMT https://community.splunk.com/t5/Getting-Data-In/Can-I-send-Windows-Event-Forwarded-events-direct-to-Splunk/m-p/370914#M67359 Richfez 2018-05-07T01:42:17Z https://community.splunk.com/t5/Getting-Data-In/Can-I-send-Windows-Event-Forwarded-events-direct-to-Splunk/m-p/370915#M67360 <P>You can use snare or syslog servers to collect these logs and then use UF/HF from there to send them to splunk.</P> Mon, 07 May 2018 08:45:19 GMT https://community.splunk.com/t5/Getting-Data-In/Can-I-send-Windows-Event-Forwarded-events-direct-to-Splunk/m-p/370915#M67360 amitm05 2018-05-07T08:45:19Z https://community.splunk.com/t5/Getting-Data-In/Can-I-send-Windows-Event-Forwarded-events-direct-to-Splunk/m-p/370916#M67361 <P>Why suggest WMI or Snare, if @port7 says he is planning to use Windows Event Forwarding? As far as I'm aware, WEF easily outperforms WMI when it comes to scalability and definitely outperforms Snare when it comes to data quality and making full use of all the CIM modelling in the Windows TA.</P> <P>His only question is whether he needs to set up a WIndows box configured as Windows Event Collector (and then run a Splunk Forwarder on that same box), or whether there is some Splunk add-on that allows Splunk to also take on the Windows Event Collector function.</P> <P>@port7: I've set up Windows log collection before using WEF where I configured a Windows server as the collector and then used a UF on that same box to monitor the forwarded events and send them into Splunk. I've never heard of an add-on that allows Splunk to act as the Collector directly (and a quick search on splunkbase and google also give me 0 results).</P> Mon, 07 May 2018 09:49:18 GMT https://community.splunk.com/t5/Getting-Data-In/Can-I-send-Windows-Event-Forwarded-events-direct-to-Splunk/m-p/370916#M67361 FrankVl 2018-05-07T09:49:18Z https://community.splunk.com/t5/Getting-Data-In/Can-I-send-Windows-Event-Forwarded-events-direct-to-Splunk/m-p/370917#M67362 <P>That's my finding too, I couldn't find any Splunk Add-On that can act as a collector for WEF events.</P> <P>It was suggested by a consultant from Microsoft, but I suspect they got their wires crossed.</P> Mon, 07 May 2018 10:03:51 GMT https://community.splunk.com/t5/Getting-Data-In/Can-I-send-Windows-Event-Forwarded-events-direct-to-Splunk/m-p/370917#M67362 port7 2018-05-07T10:03:51Z https://community.splunk.com/t5/Getting-Data-In/Can-I-send-Windows-Event-Forwarded-events-direct-to-Splunk/m-p/370918#M67363 <P>Okay, I am assuming this is the same in 2019, and you can't set up Splunk to act as the WEF server, so I will do the same as you and throw a UF on my WEF server.</P> Thu, 01 Aug 2019 17:48:36 GMT https://community.splunk.com/t5/Getting-Data-In/Can-I-send-Windows-Event-Forwarded-events-direct-to-Splunk/m-p/370918#M67363 nick405060 2019-08-01T17:48:36Z https://community.splunk.com/t5/Getting-Data-In/Can-I-send-Windows-Event-Forwarded-events-direct-to-Splunk/m-p/370919#M67364 <P>What type of results are you getting with the UF on the WEF server ?<BR /><BR /> How many logs are you sending over ? Any latency issues ?</P> Tue, 20 Aug 2019 17:35:41 GMT https://community.splunk.com/t5/Getting-Data-In/Can-I-send-Windows-Event-Forwarded-events-direct-to-Splunk/m-p/370919#M67364 itrimble1 2019-08-20T17:35:41Z