Archive

What is best practice ? Windows Event Collector or Splunk UF on each workstation?

Path Finder

We seem to be dropping events?

We are currently using Windows Event collectors on our Servers and Workstations and are missing events.

I found this link: Windows Event Forwarding and they say to use the UF ?

Has anyone else had problems using Windows Event Forwarding?

0 Karma
1 Solution

Path Finder

We were able to leverage our Windows Event Collectors. We added this to the TA-Windows inputs.conf settings.
[WinEventLog://Forwarded Events]
suppress_checkpoint = true
suppress_sourcename=true
suppress_keywords=true
suppress_type=true
suppress_task=true
suppress_opcode=true
suppress_text=true
use_threads=7

View solution in original post

0 Karma

Path Finder

We were able to leverage our Windows Event Collectors. We added this to the TA-Windows inputs.conf settings.
[WinEventLog://Forwarded Events]
suppress_checkpoint = true
suppress_sourcename=true
suppress_keywords=true
suppress_type=true
suppress_task=true
suppress_opcode=true
suppress_text=true
use_threads=7

View solution in original post

0 Karma

Path Finder

I typically recommend the UF on Windows servers. It makes monitoring for problems much easier, such as systems that have stopped sending any data.

As for workstations, that may be a bit stickier, but if your number of workstations is small, a UF is hardly outrageous compared to many other agents I've seen on workstations. The major question to ask yourself is what happens when that workstation (which includes laptops presumably) goes home and then is brought online?

0 Karma

Path Finder

As far as workstations,we have around 4,000. Mixture of physical, persistent and non-persistent vdi.

0 Karma

Path Finder

With a moderate number of workstations like that, the downside of a forwarder is you know when they stop reporting in. The upside is you know when they stop reporting in. VDI are typically considered more transitory, less permanent, so a forwarder does make less sense. You may need to consider a different solution for each technology type.

Some have had luck with a syslog daemon on Windows to forward log events.

There really is not a single best answer in my view. Each technology has advantages. Forwarders are easier to monitor, harder to deal with systems that are expected to come up and down regularly, but also deal surprisingly well with network disconnects. Event forwarders are simple, but as you've seen, not well known for reliability. Some use syslog or other protocols to introduce more answers.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!