Unfortunately I am not allowed to install a universal forwarder on Windows endpoints to send Windows event logs into Splunk. That would be my preferred method.
So I configured endpoints to send winevent logs to a Windows 12 server (configured as a WEC).
Now I am wondering what is the best way to send the events to the indexers?
Should one use a universal forwarder or heavy forwarder or some other method?
Thank you
I think I've misinterpreted the WEC and assumed WMI !
There is an answer Forwarding logs from Windows Event Collector from May that is likely relevant to your question.
I think I've misinterpreted the WEC and assumed WMI !
There is an answer Forwarding logs from Windows Event Collector from May that is likely relevant to your question.
I think I've misinterpreted the WEC and assumed WMI !
There is an answer Forwarding logs from Windows Event Collector from May that is likely relevant to your question.
Thank you, I read this and read the referred link by Mikael, previously. But it looks like this is all there is as far as advice.
Unfortunately not, we looked at the WMI path and were advised that Microsoft builtin event throttling and a few other features into that so we eventually convinced the AD admins that we were better off with the universal forwarder...
Local is ideal but if it is forbidden then the alternatives can work, but they are much more difficult!
after some back and forth with the opposition to UF installs on endpoints, I was given permission to do a test deployment... I have a follow up question I will post soon if you have time to answer. Thank you
agreed, I would rather use UF as well, thank you for the help!
I believe this documentation is appropriate
Quoting from the documentation "
Use a forwarder to collect remote Windows data
Use a universal forwarder to get remote Windows data whenever possible. The universal forwarder has these advantages:
It uses minimal network and disk resources on the installed machines.
You can install it as a non-privileged user, whereas you require administrative access for WMI.
If you install it as the Local System user, then it has administrative access to the machine and requires no authentication to get data from there, as WMI does.
It scales well in large environments and is easy to install. You can install it manually, with either a Microsoft deployment tool like System Center Configuration Manager (SCCM) or a third party distribution solution such as Puppet or IBM BigFix.
After you install a universal forwarder, it gathers information locally and sends it to a Splunk deployment. You tell the forwarder what data to gather either during the installation process or later, by distributing configuration updates manually or with a deployment server. You can also install add-ons into the universal forwarder.
There are some drawbacks to using the universal forwarder, depending on your network configuration and layout. See "Forwarders versus remote collection through WMI" in this topic.
"
Hi Garethatiag,
Thank you you for the reply and reference. Unfortunately I am forbidden to use UFs on the endpoint. I am not allowed to install UFs on the endpoint. So I am looking for a workaround with a WEC. I have a hf installed on the WEC server that is collecting the forwarded windows logs, but I have read a number of posts and slightly confused as to the best method if one has to use a WEC.
Thank you
Moved my comment to an answer! I've misinterpreted your question about WEC so I've re-answered again below.
The universal forwarder should be able to do WEC if you really require it, WMI should also work as per my other answer.