All Apps and Add-ons

What is the job of the universal forwarder in Splunk App for Windows Infrastructure?

Path Finder

Hi All, As a newbie i have a question regarding App for Windows Infrastructure. We have a single instance of Splunk Enterprise on Linux. I have gone thru other threads on this subject before asking this Q. Based on its documentation as shown in the image, it says the app collects data from Windows systems using "Splunk Add-on for Windows" & from Active Directory using "Splunk Add-on for AD". My question is where does then the" Universal forwarder" that gets deployed on the servers come into picture then if the "Add-on" components are doing the same job ? What is the point of installing UF then ?

Their doc also mentions to install Universal forwarder on windows systems that we want to monitor. I see that as redundant then, unless someone can pls clarify its use in this scenario. I need to monitor active directory in our environment and i am tempted to use this App for Infrastructure . How do you guys use this in your environment ? Does it work along side UF or does it work in place of UF ?

alt text

Neeraj

0 Karma
1 Solution

SplunkTrust
SplunkTrust
0 Karma

SplunkTrust
SplunkTrust
0 Karma

Path Finder

HI Adonio, yeah i am the same guy who asked that question. Pls help me to understand this & below query is irrespective of it were a Windows system or a Unix/linux system. I am citing a Windows deployment here.

1) In a Windows system with UF installed, we typically configure "$SPLUNKHOME\etc\apps\SplunkUniversalForwarder\local\inputs.conf " to forward data to Indexer. Assume that i have an [admon] or a [WinEventLog://Security] inputs defined here . Once done, I am able to view these events using search queries via the Search & Reporting App in the Search head. So far so good.

2) Now, When we have a TA for Windows or TA for Active Directory on the same host with UF , we would typically configure input stanzas in $SPLUNKHOME%\etc\apps\SplunkTA_windows\local\inputs.conf . Assume i have the same "[admon] or a [WinEventLog://Security]" inputs defined here as well

Does the input.conf of TA then overrides or ignores the input stanzas that were defined in the UF inputs.conf earlier & the system only forwards the events as per TA inputs.conf to indexer ? OR is that when we have TA installed, there is no need to configure the UF inputs.conf at all ?

0 Karma

SplunkTrust
SplunkTrust

dont use number 1
install Universal Forwarder on Windows Machine
install TA windows on Universal Forwarder that u just installed
install the same windows TA on the Indexer (splunk server)
configure the forwarder to send data to indexer
enabel admon and wineventlog security (and whatever else you want) inputs