All Apps and Add-ons

What is the job of the universal forwarder in Splunk App for Windows Infrastructure?

neerajshah81
Path Finder

Hi All, As a newbie i have a question regarding App for Windows Infrastructure. We have a single instance of Splunk Enterprise on Linux. I have gone thru other threads on this subject before asking this Q. Based on its documentation as shown in the image, it says the app collects data from Windows systems using "Splunk Add-on for Windows" & from Active Directory using "Splunk Add-on for AD". My question is where does then the" Universal forwarder" that gets deployed on the servers come into picture then if the "Add-on" components are doing the same job ? What is the point of installing UF then ?

Their doc also mentions to install Universal forwarder on windows systems that we want to monitor. I see that as redundant then, unless someone can pls clarify its use in this scenario. I need to monitor active directory in our environment and i am tempted to use this App for Infrastructure . How do you guys use this in your environment ? Does it work along side UF or does it work in place of UF ?

alt text

Neeraj

0 Karma
1 Solution

adonio
Ultra Champion
0 Karma

adonio
Ultra Champion
0 Karma

neerajshah81
Path Finder

HI Adonio, yeah i am the same guy who asked that question. Pls help me to understand this & below query is irrespective of it were a Windows system or a Unix/linux system. I am citing a Windows deployment here.

1) In a Windows system with UF installed, we typically configure "$SPLUNKHOME\etc\apps\SplunkUniversalForwarder\local\inputs.conf " to forward data to Indexer. Assume that i have an [admon] or a [WinEventLog://Security] inputs defined here . Once done, I am able to view these events using search queries via the Search & Reporting App in the Search head. So far so good.

2) Now, When we have a TA for Windows or TA for Active Directory on the same host with UF , we would typically configure input stanzas in $SPLUNK_HOME%\etc\apps\Splunk_TA_windows\local\inputs.conf . Assume i have the same "[admon] or a [WinEventLog://Security]" inputs defined here as well

Does the input.conf of TA then overrides or ignores the input stanzas that were defined in the UF inputs.conf earlier & the system only forwards the events as per TA inputs.conf to indexer ? OR is that when we have TA installed, there is no need to configure the UF inputs.conf at all ?

0 Karma

adonio
Ultra Champion

dont use number 1
install Universal Forwarder on Windows Machine
install TA windows on Universal Forwarder that u just installed
install the same windows TA on the Indexer (splunk server)
configure the forwarder to send data to indexer
enabel admon and wineventlog security (and whatever else you want) inputs

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...