Archive
Highlighted

Not clear about heavy forwarder

New Member

Hi

Now i want to specific winevent log and use Universal Forwader to send log to Splunk Enterprise such as security event which have task category = File Share.
I see suggestion to install heavy forwarder and don't understand about heavy forwarder. (https://docs.splunk.com/Documentation/Splunk/7.2.3/Forwarding/Deployaheavyforwarder)

It's mean install software of Splunk Enterprise on Windows Server that i want to collect log and Configure forwarding to send log to main Splunk Enterprise?

Thank you

Tags (1)
0 Karma
Highlighted

Re: Not clear about heavy forwarder

Influencer
0 Karma
Highlighted

Re: Not clear about heavy forwarder

New Member

Yes i read that document and not clear.
Heavy Forwarder mean Splunk Enterprise that create for collect log only?

0 Karma
Highlighted

Re: Not clear about heavy forwarder

Ultra Champion

To answer your question directly.

No.
The simplest way to collect log data from windows systems is to install a universal forwarder on each of the windows servers/workstations you want to collect from. (Yes there are other ways, but a UF is far simpler)
You then need to configure the UF to collect the logs you are interested in.
If you need to filter 'out' some of the uninteresting events, there is a basic filtering system using black/white lists which you can employ to do this. In this case you would not need a heavy forwarder.

If you have specific (complicated) filtering requirements, you may consider installing an additional heavy forwarder, which your UF will send its logs to first, before the HF sends the data to your indexers.
This approach gives you a lot more control over the filtering and routing of events, however in most use cases, this is unnecessary, but unless you have specific (filtering/pre-processing/network) requirements, is not necessary.

View solution in original post

0 Karma
Highlighted

Re: Not clear about heavy forwarder

New Member

Hi

Ok then how to using black/white lists for specific security event which have task category = File Share.

Thank you

0 Karma
Highlighted

Re: Not clear about heavy forwarder

Ultra Champion

If you want to exclude certain events you can use something like:

[WinEventLog://Security]
blacklist1 = TaskCategory="^Kernel"
blacklist2 = EventCode="4663" Message="NT AUTHORITY\\SYSTEM"
blacklist3 = 4634,4656,4658,4662,4673,4674
blacklist4 = EventCode="4688" Message="conhost"

See: https://docs.splunk.com/Documentation/Splunk/7.2.3/admin/inputsconf#Event_Log_whitelist_and_blacklis...

If you only want "File Share" events try instead a single whiteliste statement like

whitelist1 = "File Share"
0 Karma
Highlighted

Re: Not clear about heavy forwarder

New Member

I should edit file on path \SplunkUniversalForwarder\etc\system\default ?

0 Karma
Highlighted

Re: Not clear about heavy forwarder

New Member

Thank you nickhillscpl

I'm test edit file input.conf on path \SplunkUniversalForwarder\etc\system\default by Notepad++ and it's work!!!

----------This is edit test----------

[WinEventLog://Security]
blacklist1 = TaskCategory="Logon"

0 Karma
Highlighted

Re: Not clear about heavy forwarder

Ultra Champion

You shouldn't edit ./default - you should make changes in ./local

0 Karma