Deployment Architecture

What exact types of logs are collected by the Universal Forwarder?

Srini1207
Engager

I have an idea of what logs can be collected by Universal Forwarder (Example - Application, Security, System, Forwarded event logs, Performance monitoring). But I want to know what exactly it collects in all those categories.

Labels (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Srini1207,

the types of logs collected by a Universal Forwarder depend on the Add-Ons you are using.

In other words, if you have the Splunk TA-Windows you have the following logs. https://docs.splunk.com/Documentation/AddOns/released/Windows/SourcetypesandCIMdatamodelinfo

if you have the Splunk TA-for Linux, you have the following logs: https://docs.splunk.com/Documentation/AddOns/released/UnixLinux/Sourcetypes

So you have to define which Add-Ons you need,you have to identify the logs you need to collect, then you can see in Splunkbase where there's usually a link to Splunk documentation.

Ciao.

Giuseppe

0 Karma

Srini1207
Engager

I couldn't able to get it properly. While installing the Universal Forwarder, it will ask for what type of logs needs to be monitored (System, Security, Applications, Metrics, etc.).

In that, what exactly it monitors? for example, in security we can track the logins and in metrics the CPU Performance and loads. I'm asking in that way.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Srini1207,

this isn't a Splunk issue, you are following a contrary process: you have to exactly identify your requirements knowing Windows logging, then choose the logs to index in Splunk for monitoring.

So if you want login, logout and logfail, you need only Wineventlog:Security taking only EventCode=4614, 4625 and 4634.

But in Wineventlog there are many interesting EventCodes; then there are other information in perfmon, in syshost, etc...

As I said, define your requirements at Windows level before starting your ingestion, then you can identify how to take the information in Splunk. 

probably, in Splunk_TA_Windows (https://docs.splunk.com/Documentation/AddOns/released/Windows/SourcetypesandCIMdatamodelinfo?_ga=2.4....) you can find an help to identify what you can take from a Windows server.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...