Deployment Architecture

Why are Wineventlogs Forwarding without AD?

Aleena
Explorer

Hi There,

I am having windows server 2008 without AD. would like to forward wineventlogs from windows server 2008 to Heavy forwarder running on Linux. Have tried 

1. Native WEF

2. Syslog-Ng

3.NXLog

All are not working since it all requires domain subscription and i dont have AD. Have written powershell script to export wineventlogs but dont know how to forward this log to HF running on RHEL. Kindly let me know how to proceed.

Thanks in Advance

Labels (2)
Tags (1)
0 Karma

gcusello
Legend

Hi @Aleena,

let me understand:

  • you have a win 2008 server and you want to take wineventlogs and send them to Spunk using a Forwarder without taking logs from a Domain Controller, is this correct?
  • why do you speak of an Heavy Forwarder? meybe is there a concentrator?
  • can you install a Universal Forwarder on that server?

If you can install a Universal Forwarder on that server, you should install on it the Splunk_TA_Windows (https://splunkbase.splunk.com/app/742/) and (enabling wineventlogs inputs) you can have all the wineventlogs you need.

Ciao.

Giuseppe

0 Karma

Aleena
Explorer

Hi @gcusello 

Thanks for ur prompt response. i cannot able to install any agent on my windows server. already tried installing UF but i keeps failed. I want an agentless approach.

Thankyou,

 

0 Karma

gcusello
Legend

Hi @Aleena,

if you must follow an agentless approach, you should use another windows server to enable WMI logs extraction.

Fo r more infos see at https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/ConsiderationsfordecidinghowtomonitorW...

I don't like WMI because it need a domain user with level grants, my hint is to try to use Universal Forwarder, but if it isn't possible another solution use WMI.

Ciao.

Giuseppe

0 Karma

Aleena
Explorer

Hi @gcusello 

WMI involves domain user account and i dont have AD or domain controller. so cannot use it.

Thankyou

0 Karma

gcusello
Legend

Hi @Aleena,

windows doesn't natively send syslogs, you should try to execute a powershell script on another windows system where you can install the Splunk Universal Forwarder, but it's a real porkaround!

I hint to try to explain to your customers why to use a Universal Forwarder and its advantages:

  • local cache in case di network or Splunk server unavailability,
  • network bandwidth optimization,
  • security (data encryption),
  • greater manageability,
  • few local resource occupation,
  • etc...

Ciao.

Giuseppe

 

0 Karma
Get Updates on the Splunk Community!

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...