https://community.splunk.com/t5/Splunk-Search/How-do-I-search-the-aggregated-event-logs-of-our-Splunk-servers/m-p/602006#M209528 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/232137">@Gregski11</a>,</P><P>at first check for new versions of this TA,</P><P>but anyway, using the TA_Windows it's possible to take many other types of data starting from WinEventLog, check the inputs.conf file on each Splunk Server to see which inputs are enabled.</P><P>When you enable these inputs and you enabled forwarding, you'll have in Indexers all logs from all Splunk Servers.</P><P>Ciao.</P><P>Giuseppe</P> Thu, 16 Jun 2022 06:16:05 GMT gcusello 2022-06-16T06:16:05Z https://community.splunk.com/t5/Splunk-Search/How-do-I-search-the-aggregated-event-logs-of-our-Splunk-servers/m-p/601838#M209457 <P>I recently learned that it is best practice to use the Monitoring Console to manage our Splunk servers instead of installing Universal Forwarders on them, how then do we run a search across all of our Splunk servers Event Logs to for instance see how long each one was up for?&nbsp; I have the query and I can run it against all of our other servers that do have the Universal Forwarder installed on them and it works great, but when I query the wineventlog index it finds none of our Splunk servers in it</P> Wed, 15 Jun 2022 07:10:20 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-search-the-aggregated-event-logs-of-our-Splunk-servers/m-p/601838#M209457 Gregski11 2022-06-15T07:10:20Z https://community.splunk.com/t5/Splunk-Search/How-do-I-search-the-aggregated-event-logs-of-our-Splunk-servers/m-p/601853#M209465 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/232137">@Gregski11</a>,</P><P>each Splunk Enterprise installation has the feature to forward logs, so as you can forwardr internal logs as I described in my previous answer.</P><P>At the same time you can install the same TAs (e.g. the Splunk_TA_Windows) to take all local logs and send them (with the same forwarding configuration) to Indexers.</P><P>In other words: you don't need a Forwarder on a Splunk Enterprise server because it already has this feature; you have to manage log ingestion on them as Forwarders, using TAs (better) or enabling local inputs (I don't like this!).</P><P>Ciao.</P><P>Giuseppe</P> Wed, 15 Jun 2022 08:12:00 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-search-the-aggregated-event-logs-of-our-Splunk-servers/m-p/601853#M209465 gcusello 2022-06-15T08:12:00Z https://community.splunk.com/t5/Splunk-Search/How-do-I-search-the-aggregated-event-logs-of-our-Splunk-servers/m-p/601932#M209504 <BLOCKQUOTE><HR /><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;wrote:<BR /><P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/232137">@Gregski11</a>,</P><P>each Splunk Enterprise installation has the feature to forward logs, so as you can forwardr internal logs as I described in my previous answer.</P><P>At the same time you can install the same TAs (e.g. the Splunk_TA_Windows) to take all local logs and send them (with the same forwarding configuration) to Indexers.</P><P>In other words: you don't need a Forwarder on a Splunk Enterprise server because it already has this feature; you have to manage log ingestion on them as Forwarders, using TAs (better) or enabling local inputs (I don't like this!).</P><P>Ciao.</P><P>Giuseppe</P><HR /></BLOCKQUOTE><P>thank you so much&nbsp;<SPAN>Giuseppe, it appears we do have the&nbsp;Splunk Add-on for Microsoft Windows version 7.0.0 already installed and enabled on our Search Heads (it's not made visible though, but I don't think that matters) I do not see it on our other Splunk servers but they have apps called&nbsp;SplunkForwarder and&nbsp; SplunkLightForwarder I wonder what those apps do on those servers<BR /><BR /><BR /></SPAN></P> Wed, 15 Jun 2022 15:20:48 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-search-the-aggregated-event-logs-of-our-Splunk-servers/m-p/601932#M209504 Gregski11 2022-06-15T15:20:48Z https://community.splunk.com/t5/Splunk-Search/How-do-I-search-the-aggregated-event-logs-of-our-Splunk-servers/m-p/601984#M209519 <BLOCKQUOTE><HR /><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;wrote:<BR /><P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/232137">@Gregski11</a>,</P><P>each Splunk Enterprise installation has the feature to forward logs, so as you can forwardr internal logs as I described in my previous answer.</P><P>At the same time you can install the same TAs (e.g. the Splunk_TA_Windows) to take all local logs and send them (with the same forwarding configuration) to Indexers.</P><P>In other words: you don't need a Forwarder on a Splunk Enterprise server because it already has this feature; you have to manage log ingestion on them as Forwarders, using TAs (better) or enabling local inputs (I don't like this!).</P><P>Ciao.</P><P>Giuseppe</P><HR /></BLOCKQUOTE><P>Looks like the&nbsp;Splunk Add-on for Windows does not collect Event Logs:<BR /><BR />The Splunk Add-on for Windows allows a Splunk software administrator to collect:</P><UL><LI><DIV class="">CPU, disk, I/O, memory, log, configuration, and user data with data inputs.</DIV></LI><LI><DIV class="">Active Directory and Domain Name Server debug logs from Windows hosts that act as domain controllers for a supported version of a Windows Server. You must configure Active Directory audit policy since Active Directory does not log certain events by default.</DIV></LI><LI><DIV class="">Domain Name Server debug logs from Windows hosts that run a Windows DNS Server. Windows DNS Server does not log certain events by default, and you must enable debug logging.<BR /><BR /><BR /><A href="https://docs.splunk.com/Documentation/AddOns/released/Windows/AbouttheSplunkAdd-onforWindows" target="_blank" rel="noopener">https://docs.splunk.com/Documentation/AddOns/released/Windows/AbouttheSplunkAdd-onforWindows</A></DIV></LI></UL><P>&nbsp;</P> Wed, 15 Jun 2022 21:34:34 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-search-the-aggregated-event-logs-of-our-Splunk-servers/m-p/601984#M209519 Gregski11 2022-06-15T21:34:34Z https://community.splunk.com/t5/Splunk-Search/How-do-I-search-the-aggregated-event-logs-of-our-Splunk-servers/m-p/602006#M209528 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/232137">@Gregski11</a>,</P><P>at first check for new versions of this TA,</P><P>but anyway, using the TA_Windows it's possible to take many other types of data starting from WinEventLog, check the inputs.conf file on each Splunk Server to see which inputs are enabled.</P><P>When you enable these inputs and you enabled forwarding, you'll have in Indexers all logs from all Splunk Servers.</P><P>Ciao.</P><P>Giuseppe</P> Thu, 16 Jun 2022 06:16:05 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-search-the-aggregated-event-logs-of-our-Splunk-servers/m-p/602006#M209528 gcusello 2022-06-16T06:16:05Z