From looking at the available apps, I see that this app is only available for Splunk Enterprise 5.x. I have a windows Server 2008 installed and want to get the events fed into Splunk in syslog format but more importantly I want some assistance with figuring out what the events logs are telling me. I don't want an app to monitor my Windows servers as I only have one server but do want an app that can help me figure out what the windows event logs are indicating. We have installed the Universal Forwarder on our Windows server but this only forwards the events and does nothing with formatting, so the logs look like 3 lines of info per event and not any more intuitive than reviewing them manually.
For @wroshon's pleasure I'll attempt to answer the non-question.
If you install the universal forwarder with the msi you'll have the option to select which event logs you want to monitor and it will automatically use the correct sourcetype for each log. The sourcetype is what helps Splunk know where to break datainto events, how to find event timestamps, and more. It would seem from your improper event breaking, you have a sourcetype misconfiguration.
Your easiest route is to just reinstall the universal forwarder and use the custom installation to configure it via gui. If that's not an option you need to check your inputs.conf on the UF to make sure the source types look like this example for the windows security log:
Application, System, and Setup are other common logs to monitor and they'd look the same but the sourcetype name after the colon would change for each.
Now once you have your logs in the correct format you can run searches like 'index=wineventlog level=ERROR' which would show you all the event logs that were raised as errors. Perhaps you'll monitor 100 servers, you'll run a code deployment on Tuesday and check Splunk on Friday to find a huge spike in errors on Tuesday and thereafter.
If by now you're not seeing the advantage of using Splunk to monitor windows like @wroshon then perhaps Splunk isn't your thing. if you're like me though, a light bulb should be flickering inside/beside your head and you probably have an exciting career ahead of you involving Splunk. Cheers and best of luck to everyone just getting started on an awesome career path that involves big data analytics.
@jkat5. I appreciate your enthusiasm for Splunk. I don't share it in the least. That light bulb lit up last week and I cursed it and had to replace it several times before it would stop flickering. No big data analytics here. I find them as exciting as dirt if I have to use a product that requires this level of commitment and expertise to deploy and manage to perform the simplest task effectively. This is clearly a product that requires mastery to perform a simple task. It's incredibly powerful and configurable and you can monitor anything if you're willing to pay the price of entry. Perfectly fine if that's your goal.
I've already concluded Splunk is not my thing. As Zathras said, "This is the wrong tool.". I concluded that when I was given this project and skimmed the documentation for installing the App for Windows Infrastructure. I knew I was in trouble I saw the Splunk certified consultant projected ~$10k of professional services to deploy a new instance that supported what we wanted logged. It turned out to be even more painful than I anticipated once the ugly truth that our indexing costs would quintuple unless I could find a way to Tame the Security Logs. That's why I'm here now.
I don't have the time to master a whole framework and paradigm just to archive logs. I inherited this really expensive Syslog server because somebody read how powerful it was and had all these "Apps" available for it. It was easy to set it up as a Syslog server without a sweat. Once a colleague tried installing the App for Exchange, but quickly abandoned it up after learning how much manual configuration was involved. I had hoped to be able to install the App for Windows Infrastructure, point my Windows servers at it and go on my merry way. Instead I have my daily indexing mushroom from 10 GB /day ingesting all of our Cisco syslog data from hundreds of switches and several firewalls to 80 GB yesterday ingesting security logs from 10 Domain Controllers. I'm currently over 12 GB today after throwing everything I could find to squelch the flow. That puts us well over our recently upgraded license.
I have SCOM to monitor Widows infrastructure. I've had to rewrite a few monitors where M$ programmers were lazy to make things work properly, but otherwise it was install and configure. Most management packs, the equivalent to Splunk Apps work on install. All dependencies are managed by SCOM.
I have customized my inputs.conf file so only the security log is forwarded (see below). Had to, because there was no set that restriction through the GUI. I've also blacklisted a couple events that are known to be noisy. I've even applied some event re-writes on a couple events (Whoo hoo, welcome to .props and .transforms). I've applied tweaks identified in the following blogs, which I found in my attempt to bring this under control. Splunk Support doesn't seem to be aware of these, though two are from an internal blog.
disabled = 0
suppress_text = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
index = wineventlog
The learning curve for Splunk is about as steep as I've ever encountered. The documentation is a horrible hodgepodge of disjointed documents that is about the worst I can remember trying to decipher. Examples are horribly simple and generic with a clear bias on Syslog and *nix use cases and assume *nix installations in most cases. The documentation for the Splunk App for Windows Infrastructure is the Documentation for the Splunk App for Exchange with the name changed. No one even bothered to change the find the references to Exchange and replace them with Active Directory.
I've lost track of how many times I've reinstalled the UF. Once was because I intuitively chose what I wanted in the custom configuration only to learn later that if you do, all events go to the default index in the troubleshooting section of the instructions.
If you want to open your own questions we can help you there but as far as I know this is someone else's question and I'd like to be sure we only address their question here. Just @jkat54 to get my attention in your own threads. I'll be happy to help. And yes the windows security logs are extremely verbose but can be reduced with some gpo settings etc.
ChrisG, That is not an answer to his question, but it is in line with the answers I always seem to get from Splunk, which invariably are links to documents I've already read that don't answer my question.
That's kind of a fair comment, and I apologize for what must have been a very hasty original answer on my part.
Pointing to the newer Splunk Add-on for Microsoft Windows is a partial answer to the question: that is the add-on that is compatible with Splunk Enterprise 6 and will normalize Windows events to the Common Information Model. It collects CPU, disk, I/O, memory, log, configuration, and user data. If you are looking for an app that helps you understand and interpret those events, that's the Splunk App for Windows Infrastructure.
If the question is about what information Windows event logs contain and how to understand Windows events, there are a lot of good resources available on the web.
Did you have a specific follow-up question that the community can help you with?
Thanks for update on this. There doesn't seem to be any documentation associated with the Add-on. Most people asking questions here are looking for answers on how to get value from importing their Windows logs into Splunk. Most Windows admins know what the events are or how to find information on them on the web. The question again is how get value out of Splunk when it comes to Windows. Windows-centric log managers, of which there are plenty provide a great deal of analysis of the logged data. I think that is the point that plj3736 was making. Why use Splunk if all it does is collect my logs when it doesn't seem to give me anything more than an archive?
I've been searching for answers to issues I'm experiencing with the Splunk Application for Windows Infrastructure and volume of indexing that is generated by Windows event logs. Based on the 1000's of views on questions on Splunk and Windows (with no votes and rarely a real answer by the way) it would appear that I'm not the only one with lots of questions. You would think with the volume of interest on the subject that the Splunk Documentation, Development and Support groups would take interest. From what I've viewed and experienced with a support agreement, that doesn't seem to be the case. From this experience, I suggest that anyone interested in managing the Windows logs look for another solution from a vendor that has real interest in supporting the Windows platform.
If it is possible to find useful answers to Splunk Windows support and configuration I would love to learn how to find it. I've found Google less than useful in this matter because of the volume of out of date references to older versions and apps.
I have yet to find any current, comprehensive documentation on tuning the Splunk Application for Windows Infrastructure, TA fore Windows or the Windows Universal Forwarder.
This question viewed by 1.4k users has an answer which links to http://docs.splunk.com/Documentation/WindowsApp/latest/User/InstalltheSplunkTechnologyAdd-onforWindo... (which doesn't exist)
Boy, I haven't seen anyone reference IRC in a long time. I thought it was little more than a dark alley to be avoided anymore. If that's the place for useful Splunk answers, it explains why they are hard to find.
Fact remains, Splunk is the best thing since sliced bread for monitoring just about anything. That and the op to this question didn't use a
Single question mark so it's difficult to know where to begin to answer them.
I can tell you this, lots of windows configurations are slightly different but not documented as such. For example you'll almost always see Unix style file paths in examples and documentation. Regex has some subtle differences, etc. Rest assured though, I've used windows since 3.0 and I absolutely LOVE Splunk for windows solutions.
You've nailed it there. To me Windows Splunk looks like a lazy port from Linux and it shows (keep looking for Cygwin). Splunk users and devs appear to be overwhelmingly *nix heads where "real men user the CLI" fully school in AWK, Pearl, Python and Grep.
I spent enough time on Solaris in the 80s and Linux in the 90s to recognize the patterns. Never a big fan of the the reliance on Regex. Not really a fan of Widows, but it's paid the bills for the last 20 years. A lot of the fun comes from, "which of the 5 /local directories on which server are you talking about where I put my modified config file?" At least with a mainstream Linux distribution you can find fairly detailed Linux How To docs for most things and you haven't had to worry about dependencies for years with the different package managers. This experience is taking me back to the days when I'd have to build a custom kernel to fit what I needed with the drivers I needed into an old x286 box that only had 512k memory, hand tuning .rc scripts.