I have a Kiwi log collector that Windows event logs are being collected on. The logs are first collected on a remote Kiwi log collector then forwarded to my Kiwi log collector. I know that the best way of getting windows event logs into Splunk is to install the universal forwarder on each windows host, but that is not an option for me.
The goal is to use the TA_Windows app to read the remote Windows event logs that are collected on the Kiwi log collector server and forward the data parsed into Splunk to a index. Any ideas?
@ssievert: The link of blog is not accessible anymore.
Original Link: http://blogs.splunk.com/2014/02/03/forwarding-windows-event-logs-to-another-host/
I am able to reach to following page which lists the blog summary but fails to open the blog itself:
Blog Summary Page: http://blogs.splunk.com/tag/microsoft/page/4/
If you can still access it, could you please provide the information in the blog. Thanks
This blog post was removed because it was determined to be misleading. The biggest issue with forwarded Windows events was that Splunk's TA for Windows did not properly support logs processed in this way with Splunk's primary content apps (ES, ITSI, Windows Infrastructure, etc.).
For that reason, I am unfortunately not able to provide you with the content.
I have initiated removal of the summary page content as well, thank you for pointing that out.
The best practice to acquire Windows event logs is still to install our Universal Forwarder on the source systems.
The Windows_TA relies on the executables shipped with the Windows forwarder to read perfmon and event log data using standard MS APIs.
What format does the Kiwi log collector store the event log data in?