Deployment Architecture

Why are Wineventlogs Forwarding without AD?

Aleena
Explorer

Hi There,

I am having windows server 2008 without AD. would like to forward wineventlogs from windows server 2008 to Heavy forwarder running on Linux. Have tried 

1. Native WEF

2. Syslog-Ng

3.NXLog

All are not working since it all requires domain subscription and i dont have AD. Have written powershell script to export wineventlogs but dont know how to forward this log to HF running on RHEL. Kindly let me know how to proceed.

Thanks in Advance

Labels (2)
Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Aleena,

let me understand:

  • you have a win 2008 server and you want to take wineventlogs and send them to Spunk using a Forwarder without taking logs from a Domain Controller, is this correct?
  • why do you speak of an Heavy Forwarder? meybe is there a concentrator?
  • can you install a Universal Forwarder on that server?

If you can install a Universal Forwarder on that server, you should install on it the Splunk_TA_Windows (https://splunkbase.splunk.com/app/742/) and (enabling wineventlogs inputs) you can have all the wineventlogs you need.

Ciao.

Giuseppe

0 Karma

Aleena
Explorer

Hi @gcusello 

Thanks for ur prompt response. i cannot able to install any agent on my windows server. already tried installing UF but i keeps failed. I want an agentless approach.

Thankyou,

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Aleena,

if you must follow an agentless approach, you should use another windows server to enable WMI logs extraction.

Fo r more infos see at https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/ConsiderationsfordecidinghowtomonitorW...

I don't like WMI because it need a domain user with level grants, my hint is to try to use Universal Forwarder, but if it isn't possible another solution use WMI.

Ciao.

Giuseppe

0 Karma

Aleena
Explorer

Hi @gcusello 

WMI involves domain user account and i dont have AD or domain controller. so cannot use it.

Thankyou

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Aleena,

windows doesn't natively send syslogs, you should try to execute a powershell script on another windows system where you can install the Splunk Universal Forwarder, but it's a real porkaround!

I hint to try to explain to your customers why to use a Universal Forwarder and its advantages:

  • local cache in case di network or Splunk server unavailability,
  • network bandwidth optimization,
  • security (data encryption),
  • greater manageability,
  • few local resource occupation,
  • etc...

Ciao.

Giuseppe

 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...