Getting Data In

Configure index and application in Universal forwarder

skomath
New Member

Hi

I configured Universal forwarder to push the windows event logs ( adfs logs ) to main splunk server.

Can anyone help me how to configure the application and indexer.

Thanks in advance

Tags (1)
0 Karma

jstockamp
Communicator

A little more information would be helpful .... what app, what index, what specifically do you need help with? You might want to take a look at the Splunk App for Active Directory (http://splunk-base.splunk.com/apps/51338/splunk-app-for-active-directory) as it will do most of the configuration for you.

0 Karma

Ayn
Legend

No, it is not.

0 Karma

aholzer
Motivator
0 Karma

skomath
New Member

So, Is it possible to do the filtering at client side ( in Universal forwarder ) ?

0 Karma

jstockamp
Communicator

Just to be clear these modifications to props.conf and transforms.conf will go on the indexer, not the forwarder.

0 Karma

Ayn
Legend
0 Karma

skomath
New Member

I specified like this

[WinEventLog:Security]
disabled = 0
index = myIndex
All the security logs start moving to the specified index.

Now the problem is... I want to filter the security logs before pushing to the server. Like I want to push only the logs having SourceName=AD FS 2.0 Auditing

0 Karma

skomath
New Member

ADFS will write the logs into windows event log. I configured the unversal forwarder to collect log from the windows event log. For installation I used the windows msi setup.

0 Karma

jstockamp
Communicator

It sounds like you were already configured the forwarder to push ADFS logs (which means you configured an inputs.conf file to monitor a directory). In that inputs.conf add index=myIndex and you should be good. there can be multiple inputs.conf files on a forwarder, so you could have configured it in a number of places.

0 Karma

skomath
New Member

which location ? which file, Is it inputs.conf ?

0 Karma

jstockamp
Communicator

To specify the index you want an input to go to just add:

index=myIndex

to the monitor stanza in your inputs.conf (on the forwarder).

I don't believe Splunk for AD supports ADFS logs specifically.

0 Karma

skomath
New Member

Wev are looking for the ADFS monitoring. Splunk App for Active Directory supports ADFS ?

0 Karma

skomath
New Member

I want to move all logs to specific index ( say myIndex ) rather than going to main index

0 Karma

skomath
New Member

Do you want any more details ?

0 Karma

skomath
New Member

In splunk web we can add new application ( say myApp ) right. And I created new index as well ( called myIndex). And the in our application server I installed unversal forwarder and configured to push adfs logs. Logs are moving to main index.

0 Karma

skomath
New Member

Platform : windows

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...