Splunk Dev

Not clear about heavy forwarder

mindterrian
New Member

Hi

Now i want to specific winevent log and use Universal Forwader to send log to Splunk Enterprise such as security event which have task category = File Share.
I see suggestion to install heavy forwarder and don't understand about heavy forwarder. (https://docs.splunk.com/Documentation/Splunk/7.2.3/Forwarding/Deployaheavyforwarder)

It's mean install software of Splunk Enterprise on Windows Server that i want to collect log and Configure forwarding to send log to main Splunk Enterprise?

Thank you

Tags (1)
0 Karma
1 Solution

nickhills
Ultra Champion

To answer your question directly.

No.
The simplest way to collect log data from windows systems is to install a universal forwarder on each of the windows servers/workstations you want to collect from. (Yes there are other ways, but a UF is far simpler)
You then need to configure the UF to collect the logs you are interested in.
If you need to filter 'out' some of the uninteresting events, there is a basic filtering system using black/white lists which you can employ to do this. In this case you would not need a heavy forwarder.

If you have specific (complicated) filtering requirements, you may consider installing an additional heavy forwarder, which your UF will send its logs to first, before the HF sends the data to your indexers.
This approach gives you a lot more control over the filtering and routing of events, however in most use cases, this is unnecessary, but unless you have specific (filtering/pre-processing/network) requirements, is not necessary.

If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma

nickhills
Ultra Champion

To answer your question directly.

No.
The simplest way to collect log data from windows systems is to install a universal forwarder on each of the windows servers/workstations you want to collect from. (Yes there are other ways, but a UF is far simpler)
You then need to configure the UF to collect the logs you are interested in.
If you need to filter 'out' some of the uninteresting events, there is a basic filtering system using black/white lists which you can employ to do this. In this case you would not need a heavy forwarder.

If you have specific (complicated) filtering requirements, you may consider installing an additional heavy forwarder, which your UF will send its logs to first, before the HF sends the data to your indexers.
This approach gives you a lot more control over the filtering and routing of events, however in most use cases, this is unnecessary, but unless you have specific (filtering/pre-processing/network) requirements, is not necessary.

If my comment helps, please give it a thumbs up!
0 Karma

mindterrian
New Member

Hi

Ok then how to using black/white lists for specific security event which have task category = File Share.

Thank you

0 Karma

nickhills
Ultra Champion

If you want to exclude certain events you can use something like:

[WinEventLog://Security]
blacklist1 = TaskCategory="^Kernel"
blacklist2 = EventCode="4663" Message="NT AUTHORITY\\SYSTEM"
blacklist3 = 4634,4656,4658,4662,4673,4674
blacklist4 = EventCode="4688" Message="conhost"

See: https://docs.splunk.com/Documentation/Splunk/7.2.3/admin/inputsconf#Event_Log_whitelist_and_blacklis...

If you only want "File Share" events try instead a single whiteliste statement like

whitelist1 = "File Share"
If my comment helps, please give it a thumbs up!
0 Karma

mindterrian
New Member

I should edit file on path \SplunkUniversalForwarder\etc\system\default ?

0 Karma

mindterrian
New Member

Thank you nickhillscpl

I'm test edit file input.conf on path \SplunkUniversalForwarder\etc\system\default by Notepad++ and it's work!!!

----------This is edit test----------

[WinEventLog://Security]
blacklist1 = TaskCategory="Logon"

0 Karma

nickhills
Ultra Champion

You shouldn't edit ./default - you should make changes in ./local

If my comment helps, please give it a thumbs up!
0 Karma

dkeck
Influencer
0 Karma

mindterrian
New Member

Yes i read that document and not clear.
Heavy Forwarder mean Splunk Enterprise that create for collect log only?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...