I have an idea of what logs can be collected by Universal Forwarder (Example - Application, Security, System, Forwarded event logs, Performance monitoring). But I want to know what exactly it collects in all those categories.
Hi @Srini1207,
the types of logs collected by a Universal Forwarder depend on the Add-Ons you are using.
In other words, if you have the Splunk TA-Windows you have the following logs. https://docs.splunk.com/Documentation/AddOns/released/Windows/SourcetypesandCIMdatamodelinfo
if you have the Splunk TA-for Linux, you have the following logs: https://docs.splunk.com/Documentation/AddOns/released/UnixLinux/Sourcetypes
So you have to define which Add-Ons you need,you have to identify the logs you need to collect, then you can see in Splunkbase where there's usually a link to Splunk documentation.
Ciao.
Giuseppe
I couldn't able to get it properly. While installing the Universal Forwarder, it will ask for what type of logs needs to be monitored (System, Security, Applications, Metrics, etc.).
In that, what exactly it monitors? for example, in security we can track the logins and in metrics the CPU Performance and loads. I'm asking in that way.
Hi @Srini1207,
this isn't a Splunk issue, you are following a contrary process: you have to exactly identify your requirements knowing Windows logging, then choose the logs to index in Splunk for monitoring.
So if you want login, logout and logfail, you need only Wineventlog:Security taking only EventCode=4614, 4625 and 4634.
But in Wineventlog there are many interesting EventCodes; then there are other information in perfmon, in syshost, etc...
As I said, define your requirements at Windows level before starting your ingestion, then you can identify how to take the information in Splunk.
probably, in Splunk_TA_Windows (https://docs.splunk.com/Documentation/AddOns/released/Windows/SourcetypesandCIMdatamodelinfo?_ga=2.4....) you can find an help to identify what you can take from a Windows server.
Ciao.
Giuseppe