Getting Data In

Best way to send Windows event logs from a Windows 12 server to indexers?

packet_hunter
Contributor

Unfortunately I am not allowed to install a universal forwarder on Windows endpoints to send Windows event logs into Splunk. That would be my preferred method.

So I configured endpoints to send winevent logs to a Windows 12 server (configured as a WEC).

Now I am wondering what is the best way to send the events to the indexers?

Should one use a universal forwarder or heavy forwarder or some other method?

Thank you

0 Karma
1 Solution

gjanders
SplunkTrust
SplunkTrust

I think I've misinterpreted the WEC and assumed WMI !

There is an answer Forwarding logs from Windows Event Collector from May that is likely relevant to your question.

View solution in original post

0 Karma

gjanders
SplunkTrust
SplunkTrust

I think I've misinterpreted the WEC and assumed WMI !

There is an answer Forwarding logs from Windows Event Collector from May that is likely relevant to your question.

0 Karma

gjanders
SplunkTrust
SplunkTrust

I think I've misinterpreted the WEC and assumed WMI !

There is an answer Forwarding logs from Windows Event Collector from May that is likely relevant to your question.

0 Karma

packet_hunter
Contributor

Thank you, I read this and read the referred link by Mikael, previously. But it looks like this is all there is as far as advice.

gjanders
SplunkTrust
SplunkTrust

Unfortunately not, we looked at the WMI path and were advised that Microsoft builtin event throttling and a few other features into that so we eventually convinced the AD admins that we were better off with the universal forwarder...

Local is ideal but if it is forbidden then the alternatives can work, but they are much more difficult!

0 Karma

packet_hunter
Contributor

after some back and forth with the opposition to UF installs on endpoints, I was given permission to do a test deployment... I have a follow up question I will post soon if you have time to answer. Thank you

0 Karma

packet_hunter
Contributor

agreed, I would rather use UF as well, thank you for the help!

0 Karma

gjanders
SplunkTrust
SplunkTrust

I believe this documentation is appropriate

Quoting from the documentation "
Use a forwarder to collect remote Windows data
Use a universal forwarder to get remote Windows data whenever possible. The universal forwarder has these advantages:

It uses minimal network and disk resources on the installed machines.
You can install it as a non-privileged user, whereas you require administrative access for WMI.
If you install it as the Local System user, then it has administrative access to the machine and requires no authentication to get data from there, as WMI does.
It scales well in large environments and is easy to install. You can install it manually, with either a Microsoft deployment tool like System Center Configuration Manager (SCCM) or a third party distribution solution such as Puppet or IBM BigFix.
After you install a universal forwarder, it gathers information locally and sends it to a Splunk deployment. You tell the forwarder what data to gather either during the installation process or later, by distributing configuration updates manually or with a deployment server. You can also install add-ons into the universal forwarder.

There are some drawbacks to using the universal forwarder, depending on your network configuration and layout. See "Forwarders versus remote collection through WMI" in this topic.
"

0 Karma

packet_hunter
Contributor

Hi Garethatiag,
Thank you you for the reply and reference. Unfortunately I am forbidden to use UFs on the endpoint. I am not allowed to install UFs on the endpoint. So I am looking for a workaround with a WEC. I have a hf installed on the WEC server that is collecting the forwarded windows logs, but I have read a number of posts and slightly confused as to the best method if one has to use a WEC.

Thank you

0 Karma

gjanders
SplunkTrust
SplunkTrust

Moved my comment to an answer! I've misinterpreted your question about WEC so I've re-answered again below.

The universal forwarder should be able to do WEC if you really require it, WMI should also work as per my other answer.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...