All Apps and Add-ons

Remote collecting wineventlog from multiple servers

face2face
New Member

Hi everyone. I am new in splunk.
I want remote collect data from 20 Windows servers + 80 windows workstations without WEF (not WMI, only eventlog journals)

  1. I installed UF on Windows with domain user mode.
  2. then installed Add-on for windows (Splunk_TA_windows) and configured it until put ip addresses into inputs.conf

i didnt find in docs how i can set list of ip addresses or hostnames in inputs.conf?
What is the best way to manage list of ip if i want install second UF? should i manage it right on the UF server or there is better way?

0 Karma

FrankVl
Ultra Champion

That is described in this section of the documentation: https://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata#Use_WMI

If you can't deploy UFs to each host, you can use WMI to pull logs remotely. Note that this is typically not really recommended as it performs and scales quite poorly (and config is a pain to maintain, as you need to set up WMI stanzas for each host you want to collect from).

0 Karma

FrankVl
Ultra Champion

I don't entirely follow your questions, can you elaborate a bit? Perhaps share the config you have so far?

0 Karma

face2face
New Member
OS Logs

[WinEventLog://Application]
disabled = 0
start_from = oldest
index = wineventlog_app
current_only = 1
checkpointInterval = 5
renderXml=false

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 1
evt_resolve_ad_obj = 1
evt_dc_name = dc01.ptdemo.local
evt_dns_name = ptdemo.local
checkpointInterval = 5
index = wineventlog_sec
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
renderXml=false

[WinEventLog://System]
disabled = 0
start_from = oldest
current_only = 1
checkpointInterval = 5
renderXml=false
index = wineventlog_sys

0 Karma

FrankVl
Ultra Champion

That configuration will only let it collect the logs of the local machine where your UF is running.

What exactly do you want to achieve? A single UF that remotely pulls logs from all your systems, or do you want to deploy UFs to each of your windows hosts?

0 Karma

face2face
New Member

i know, that this config allow collect only local logs.
but i want collect remote logs
E.g. i have list of 20 servers
host1
host2
...
host20

Where i should put this list?

UF that remotely pulls logs from all your systems
yes, from all windows servers

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...