Hi
Now i want to specific winevent log and use Universal Forwader to send log to Splunk Enterprise such as security event which have task category = File Share.
I see suggestion to install heavy forwarder and don't understand about heavy forwarder. (https://docs.splunk.com/Documentation/Splunk/7.2.3/Forwarding/Deployaheavyforwarder)
It's mean install software of Splunk Enterprise on Windows Server that i want to collect log and Configure forwarding to send log to main Splunk Enterprise?
Thank you
To answer your question directly.
No.
The simplest way to collect log data from windows systems is to install a universal forwarder on each of the windows servers/workstations you want to collect from. (Yes there are other ways, but a UF is far simpler)
You then need to configure the UF to collect the logs you are interested in.
If you need to filter 'out' some of the uninteresting events, there is a basic filtering system using black/white lists which you can employ to do this. In this case you would not need a heavy forwarder.
If you have specific (complicated) filtering requirements, you may consider installing an additional heavy forwarder, which your UF will send its logs to first, before the HF sends the data to your indexers.
This approach gives you a lot more control over the filtering and routing of events, however in most use cases, this is unnecessary, but unless you have specific (filtering/pre-processing/network) requirements, is not necessary.
To answer your question directly.
No.
The simplest way to collect log data from windows systems is to install a universal forwarder on each of the windows servers/workstations you want to collect from. (Yes there are other ways, but a UF is far simpler)
You then need to configure the UF to collect the logs you are interested in.
If you need to filter 'out' some of the uninteresting events, there is a basic filtering system using black/white lists which you can employ to do this. In this case you would not need a heavy forwarder.
If you have specific (complicated) filtering requirements, you may consider installing an additional heavy forwarder, which your UF will send its logs to first, before the HF sends the data to your indexers.
This approach gives you a lot more control over the filtering and routing of events, however in most use cases, this is unnecessary, but unless you have specific (filtering/pre-processing/network) requirements, is not necessary.
Hi
Ok then how to using black/white lists for specific security event which have task category = File Share.
Thank you
If you want to exclude certain events you can use something like:
[WinEventLog://Security]
blacklist1 = TaskCategory="^Kernel"
blacklist2 = EventCode="4663" Message="NT AUTHORITY\\SYSTEM"
blacklist3 = 4634,4656,4658,4662,4673,4674
blacklist4 = EventCode="4688" Message="conhost"
If you only want "File Share" events try instead a single whiteliste statement like
whitelist1 = "File Share"
I should edit file on path \SplunkUniversalForwarder\etc\system\default ?
Thank you nickhillscpl
I'm test edit file input.conf on path \SplunkUniversalForwarder\etc\system\default by Notepad++ and it's work!!!
----------This is edit test----------
[WinEventLog://Security]
blacklist1 = TaskCategory="Logon"
You shouldn't edit ./default - you should make changes in ./local
HI,
please see this doc, this is all you need 🙂
https://docs.splunk.com/Documentation/Splunk/7.2.3/Forwarding/Deployaheavyforwarder
Yes i read that document and not clear.
Heavy Forwarder mean Splunk Enterprise that create for collect log only?