Splunk Enterprise

What is best practice ? Windows Event Collector or Splunk UF on each workstation?

itrimble1
Path Finder

We seem to be dropping events?

We are currently using Windows Event collectors on our Servers and Workstations and are missing events.

I found this link: Windows Event Forwarding and they say to use the UF ?

Has anyone else had problems using Windows Event Forwarding?

0 Karma
1 Solution

itrimble1
Path Finder

We were able to leverage our Windows Event Collectors. We added this to the TA-Windows inputs.conf settings.
[WinEventLog://Forwarded Events]
suppress_checkpoint = true
suppress_sourcename=true
suppress_keywords=true
suppress_type=true
suppress_task=true
suppress_opcode=true
suppress_text=true
use_threads=7

View solution in original post

0 Karma

itrimble1
Path Finder

We were able to leverage our Windows Event Collectors. We added this to the TA-Windows inputs.conf settings.
[WinEventLog://Forwarded Events]
suppress_checkpoint = true
suppress_sourcename=true
suppress_keywords=true
suppress_type=true
suppress_task=true
suppress_opcode=true
suppress_text=true
use_threads=7

0 Karma

mmccul
SplunkTrust
SplunkTrust

I typically recommend the UF on Windows servers. It makes monitoring for problems much easier, such as systems that have stopped sending any data.

As for workstations, that may be a bit stickier, but if your number of workstations is small, a UF is hardly outrageous compared to many other agents I've seen on workstations. The major question to ask yourself is what happens when that workstation (which includes laptops presumably) goes home and then is brought online?

0 Karma

itrimble1
Path Finder

As far as workstations,we have around 4,000. Mixture of physical, persistent and non-persistent vdi.

0 Karma

mmccul
SplunkTrust
SplunkTrust

With a moderate number of workstations like that, the downside of a forwarder is you know when they stop reporting in. The upside is you know when they stop reporting in. VDI are typically considered more transitory, less permanent, so a forwarder does make less sense. You may need to consider a different solution for each technology type.

Some have had luck with a syslog daemon on Windows to forward log events.

There really is not a single best answer in my view. Each technology has advantages. Forwarders are easier to monitor, harder to deal with systems that are expected to come up and down regularly, but also deal surprisingly well with network disconnects. Event forwarders are simple, but as you've seen, not well known for reliability. Some use syslog or other protocols to introduce more answers.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...