Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Remote collecting wineventlog from multiple server...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Remote collecting wineventlog from multiple servers
Hi everyone. I am new in splunk.
I want remote collect data from 20 Windows servers + 80 windows workstations without WEF (not WMI, only eventlog journals)
- I installed UF on Windows with domain user mode.
- then installed Add-on for windows (Splunk_TA_windows) and configured it until put ip addresses into inputs.conf
i didnt find in docs how i can set list of ip addresses or hostnames in inputs.conf?
What is the best way to manage list of ip if i want install second UF? should i manage it right on the UF server or there is better way?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That is described in this section of the documentation: https://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata#Use_WMI
If you can't deploy UFs to each host, you can use WMI to pull logs remotely. Note that this is typically not really recommended as it performs and scales quite poorly (and config is a pain to maintain, as you need to set up WMI stanzas for each host you want to collect from).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't entirely follow your questions, can you elaborate a bit? Perhaps share the config you have so far?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OS Logs
[WinEventLog://Application]
disabled = 0
start_from = oldest
index = wineventlog_app
current_only = 1
checkpointInterval = 5
renderXml=false
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 1
evt_resolve_ad_obj = 1
evt_dc_name = dc01.ptdemo.local
evt_dns_name = ptdemo.local
checkpointInterval = 5
index = wineventlog_sec
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
renderXml=false
[WinEventLog://System]
disabled = 0
start_from = oldest
current_only = 1
checkpointInterval = 5
renderXml=false
index = wineventlog_sys
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That configuration will only let it collect the logs of the local machine where your UF is running.
What exactly do you want to achieve? A single UF that remotely pulls logs from all your systems, or do you want to deploy UFs to each of your windows hosts?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i know, that this config allow collect only local logs.
but i want collect remote logs
E.g. i have list of 20 servers
host1
host2
...
host20
Where i should put this list?
UF that remotely pulls logs from all your systems
yes, from all windows servers
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
