All Apps and Add-ons

What is the job of the universal forwarder in Splunk App for Windows Infrastructure?

neerajshah81
Path Finder

Hi All, As a newbie i have a question regarding App for Windows Infrastructure. We have a single instance of Splunk Enterprise on Linux. I have gone thru other threads on this subject before asking this Q. Based on its documentation as shown in the image, it says the app collects data from Windows systems using "Splunk Add-on for Windows" & from Active Directory using "Splunk Add-on for AD". My question is where does then the" Universal forwarder" that gets deployed on the servers come into picture then if the "Add-on" components are doing the same job ? What is the point of installing UF then ?

Their doc also mentions to install Universal forwarder on windows systems that we want to monitor. I see that as redundant then, unless someone can pls clarify its use in this scenario. I need to monitor active directory in our environment and i am tempted to use this App for Infrastructure . How do you guys use this in your environment ? Does it work along side UF or does it work in place of UF ?

alt text

Neeraj

0 Karma
1 Solution

adonio
Ultra Champion
0 Karma

adonio
Ultra Champion
0 Karma

neerajshah81
Path Finder

HI Adonio, yeah i am the same guy who asked that question. Pls help me to understand this & below query is irrespective of it were a Windows system or a Unix/linux system. I am citing a Windows deployment here.

1) In a Windows system with UF installed, we typically configure "$SPLUNKHOME\etc\apps\SplunkUniversalForwarder\local\inputs.conf " to forward data to Indexer. Assume that i have an [admon] or a [WinEventLog://Security] inputs defined here . Once done, I am able to view these events using search queries via the Search & Reporting App in the Search head. So far so good.

2) Now, When we have a TA for Windows or TA for Active Directory on the same host with UF , we would typically configure input stanzas in $SPLUNK_HOME%\etc\apps\Splunk_TA_windows\local\inputs.conf . Assume i have the same "[admon] or a [WinEventLog://Security]" inputs defined here as well

Does the input.conf of TA then overrides or ignores the input stanzas that were defined in the UF inputs.conf earlier & the system only forwards the events as per TA inputs.conf to indexer ? OR is that when we have TA installed, there is no need to configure the UF inputs.conf at all ?

0 Karma

adonio
Ultra Champion

dont use number 1
install Universal Forwarder on Windows Machine
install TA windows on Universal Forwarder that u just installed
install the same windows TA on the Indexer (splunk server)
configure the forwarder to send data to indexer
enabel admon and wineventlog security (and whatever else you want) inputs

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...