I want to transmit all logs to Splunk's SIEM. Therefore, there are some questions.
Q1. In our network system, Splunk's Forwarder will be used as an agent for log transmission. I'm wondering what kind of log can be sent to SIEM for each forwarder (Universal, Light and Heavy).
Q2. The Windows event logs as well as process variable logs are stored on our workstation.
- Process variable logs
Time | Variable | Status
00:00:00 99 On-line
00:00:01 89 On-line
01:01:03 76 Off-line
Can these logs be analyzed in Splunk's SIEM? If possible, can it be sent to SIEM through Splunk's forwarder?
A1: Both types of forwarder (there is no more Light forwarder) can forward the same log types.
A2: Is it's text, Splunk can process it. Different log types should be given a separate sourcetype so Splunk knows how to process them.
You won't find "process variable log" anywhere in Splunk's documentation. It's just a "log". Splunk doesn't care what's inside as long as it's text.
See https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/Usingforwardingagents for more information.