Deployment Architecture

Questions about transmitting all logs to Splunk's SIEM for each forwarder.

New Member

Hello,

I want to transmit all logs to Splunk's SIEM. Therefore, there are some questions.

Q1. In our network system, Splunk's Forwarder will be used as an agent for log transmission. I'm wondering what kind of log can be sent to SIEM for each forwarder (Universal, Light and Heavy).

Q2. The Windows event logs as well as process variable logs are stored on our workstation.
- Process variable logs
Time | Variable | Status
00:00:00 99 On-line
00:00:01 89 On-line
......
01:01:03 76 Off-line

Can these logs be analyzed in Splunk's SIEM? If possible, can it be sent to SIEM through Splunk's forwarder?

Thanks,

0 Karma

SplunkTrust
SplunkTrust

A1: Both types of forwarder (there is no more Light forwarder) can forward the same log types.

A2: Is it's text, Splunk can process it. Different log types should be given a separate sourcetype so Splunk knows how to process them.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

New Member

Thank you very much for your answer. Can i transmit process variable logs to SIEM by using Splunk's forwarder?

0 Karma

SplunkTrust
SplunkTrust

Yes, you can. That is the preferred way.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

New Member

Thanks a lot. I couldn't find any information on how to set-up in Universal Forwarder. Can you explain how to transmit process variable logs to SIEM?

0 Karma

SplunkTrust
SplunkTrust

You won't find "process variable log" anywhere in Splunk's documentation. It's just a "log". Splunk doesn't care what's inside as long as it's text.
See https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/Usingforwardingagents for more information.

---
If this reply helps you, an upvote would be appreciated.
0 Karma