Solved: Can I send Windows Event Forwarded events direct t...

port7 · ‎04-30-2018

I heard a rumour that there was a Splunk Add-On that allowed it to act as a 'Windows Event Collector' Server, and so no need for a native Microsoft WEC Server. Is this true?

I need to get events from a bunch of Windows 10 desktops and so look for options, if the above doesn't work I guess I will stand up a few WEC servers.

And before anyone comments, no I can't use the Universal Forwarder because of contractual reasons.... Lets leave it at that!

FrankVl · ‎05-07-2018

Why suggest WMI or Snare, if @port7 says he is planning to use Windows Event Forwarding? As far as I'm aware, WEF easily outperforms WMI when it comes to scalability and definitely outperforms Snare when it comes to data quality and making full use of all the CIM modelling in the Windows TA.

His only question is whether he needs to set up a WIndows box configured as Windows Event Collector (and then run a Splunk Forwarder on that same box), or whether there is some Splunk add-on that allows Splunk to also take on the Windows Event Collector function.

@port7: I've set up Windows log collection before using WEF where I configured a Windows server as the collector and then used a UF on that same box to monitor the forwarded events and send them into Splunk. I've never heard of an add-on that allows Splunk to act as the Collector directly (and a quick search on splunkbase and google also give me 0 results).

View solution in original post

FrankVl · ‎05-07-2018

Why suggest WMI or Snare, if @port7 says he is planning to use Windows Event Forwarding? As far as I'm aware, WEF easily outperforms WMI when it comes to scalability and definitely outperforms Snare when it comes to data quality and making full use of all the CIM modelling in the Windows TA.

His only question is whether he needs to set up a WIndows box configured as Windows Event Collector (and then run a Splunk Forwarder on that same box), or whether there is some Splunk add-on that allows Splunk to also take on the Windows Event Collector function.

@port7: I've set up Windows log collection before using WEF where I configured a Windows server as the collector and then used a UF on that same box to monitor the forwarded events and send them into Splunk. I've never heard of an add-on that allows Splunk to act as the Collector directly (and a quick search on splunkbase and google also give me 0 results).

port7 · ‎05-07-2018

That's my finding too, I couldn't find any Splunk Add-On that can act as a collector for WEF events.

It was suggested by a consultant from Microsoft, but I suspect they got their wires crossed.

nick405060 · ‎08-01-2019

Okay, I am assuming this is the same in 2019, and you can't set up Splunk to act as the WEF server, so I will do the same as you and throw a UF on my WEF server.

itrimble1 · ‎08-20-2019

What type of results are you getting with the UF on the WEF server ?

How many logs are you sending over ? Any latency issues ?

amitm05 · ‎05-07-2018

You can use snare or syslog servers to collect these logs and then use UF/HF from there to send them to splunk.

Richfez · ‎05-06-2018

While there are a variety of ways to accomplish this, it seems the most obvious is to use WMI.

While the UF is still faster and better, if you can't use the UF then using WMI can do a pretty good job of collecting data, especially from newer Windows machines (Windows ~8 and above I think?).

You do have to use a Windows server with a full Splunk install on it to collect this data. If your Splunk installation is *nix, you could just stand up one Splunk HF on Windows to use for this purpose.

woodcock · ‎04-30-2018

You can try snare.

Can I send Windows Event Forwarded events direct to Splunk?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk