Best recomended practices - Data Input config for Windows servers with the following roles IIS - SQL - Domain Controllers - Sharepoint - Exchnage
I'm going to assume you are using some type of log forwarder to send these logs to splunk. I am using Snare on my windows servers. It allows me to tell it to send logs on any port I choose. For my DHCP Server, I'm having it send logs to splunk using port 516. On Splunk, I've configured a Data Input, UDP port 516, SourceType: from list, Windows Snare Syslog.
It formats it perfectly. I guess you could do that for each Server.
Snare si fine, but I do recommend, whenever is possible, to use a Universal Forwarder on the Windows servers to send logs to Splunk indexers, because you can take advantage of Forwarder's functionality like load balancing, consistency of logs sent in case of communication failures or in the indexer is down, just to mention some.
Moreover, using a forwarder, you have native recognition of events coming from WinEventlog.
I agree with the comments so far. I just want to expand just a little more.
For more fine tuning, consider this:
- the application inputs SQL, IIS, Exchange, etc can get real chatty...that's both good and bad. Here is my suggestion on this:
Create a test-msft index and send your data from a couple of servers to that index for a couple of days. What you are looking for is what data is mere noise vs insights. You create a test index so that once you get the data you like coming in, you point it to either your default index or another index; afterwards, delete the test index. (this is a common practice for me)
Install the Deployment Monitor and the SoS apps to monitor what you will be doing next.
This will be done using the inputs.conf file one each forwarder. Here's the link: http://docs.splunk.com/Documentation/Splunk/5.0.3/admin/Inputsconf
If you feel the need to throttle the amount of data being indexed, add information to the "whitelist" and "blacklist" sections. This restricts/ allows what data will be forwarded to the indexer.