https://community.splunk.com/t5/Getting-Data-In/Is-there-a-best-practice-guide-for-Splunk-and-Windows-Event/m-p/415493#M73464 <P>Does anyone have a guide for load balancing among Windows Event Collectors?</P> <P>We have about 8 Windows Event Collector Servers. </P> <P>We want to know if there is a <STRONG>best practice</STRONG> guide to get this set up correctly in Splunk, or any other SIEM.</P> <P>We appear to be experiencing <STRONG>latency</STRONG> from the time the event is transmitted from the UF -----&gt; HF.........&gt;IDX.</P> Fri, 07 Jun 2019 13:59:36 GMT itrimble1 2019-06-07T13:59:36Z https://community.splunk.com/t5/Getting-Data-In/Is-there-a-best-practice-guide-for-Splunk-and-Windows-Event/m-p/415493#M73464 <P>Does anyone have a guide for load balancing among Windows Event Collectors?</P> <P>We have about 8 Windows Event Collector Servers. </P> <P>We want to know if there is a <STRONG>best practice</STRONG> guide to get this set up correctly in Splunk, or any other SIEM.</P> <P>We appear to be experiencing <STRONG>latency</STRONG> from the time the event is transmitted from the UF -----&gt; HF.........&gt;IDX.</P> Fri, 07 Jun 2019 13:59:36 GMT https://community.splunk.com/t5/Getting-Data-In/Is-there-a-best-practice-guide-for-Splunk-and-Windows-Event/m-p/415493#M73464 itrimble1 2019-06-07T13:59:36Z https://community.splunk.com/t5/Getting-Data-In/Is-there-a-best-practice-guide-for-Splunk-and-Windows-Event/m-p/415494#M73465 <P>I thought I'd answer this post, since I've learned a lot in between the original question and now. <STRONG>These resources really helped me out</STRONG>. I hope they can do the same for you.</P> <P><A href="https://blogs.technet.microsoft.com/jepayne/2015/11/23/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem/">Monitoring What Matters</A> - Jessica Payne (Microsoft)<BR /> <A href="https://www.splunk.com/blog/2017/08/07/peeping-through-windows-logs.html">Peeping Through WIndows</A> (Logs) - Hunting With Splunk - Part 5<BR /> <A href="https://www.ultimatewindowssecurity.com/webinars/register.aspx?id=1433">Integrating Splunk with native Windows Event Collection</A> - Great Webinar from Ultimate Windows Security<BR /> <A href="https://www.batchworks.de/why-using-xml-event-logs-sucks-using-splunk/">To XML or Classic Format</A> - Conclusion is that XML collection is slower than classic rendering<BR /> <A href="https://github.com/palantir/windows-event-forwarding">Windows Event Forwarding Guidance</A> - Guide to help setting up central Windows Logging through a collector<BR /> <A href="https://blogs.technet.microsoft.com/russellt/2017/05/09/project-sauron-introduction/">Project Sauron</A> - Centralized Storage of Windows Events (Microsoft)<BR /> <A href="https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wecutil">Create and Manage Subscriptions with PowerShell</A><BR /> <A href="https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wecutil">Best Practice for Configuring EventLog Forwarding</A> - specifically Server 2012R2, Server 2016<BR /> <A href="https://www.hurricanelabs.com/splunk-tutorials/windows-event-log-filtering-design-in-splunk#">Blacklists and Whitelist Tuning</A> - Hurricane Labs - Great guide to save on licensing</P> Tue, 08 Oct 2019 17:11:48 GMT https://community.splunk.com/t5/Getting-Data-In/Is-there-a-best-practice-guide-for-Splunk-and-Windows-Event/m-p/415494#M73465 itrimble1 2019-10-08T17:11:48Z