Has anyone captured Windows Event Logs from tablets and forwarded it to their indexer?
We're currently trying to solve an issue where the tablet HDD is 500MB and the tablet may lose network connectivity for 12 hours before it's able to get back on the network. This means that the data will be stored locally on the tablet but unable to forward to the indexer.. There's a possibility that the log data will roll before it's able to get network connectivity again which means the data will never make it to the indexer.
I know that the UF can queue up to 500kb, but we expect that more than 500kb of data will be collected when there's no network connection. So my question, has anyone had a similar situation like this? How did you solve it?
We're debating setting up a storage hub to act as a buffer between the tablet and the indexer but this isn't ideal..
That was my first thought, but if I doubled the size of the queue then I'd most likely consume more than twice the amount of memory right? Slowing the tablets down is not an option unfortunately
I was thinking about suggesting they create a hub and send the data via bluetooth from the tablets to the hub when network connectivity drops and this hub be hardwired into a network drop for a persistent internet connection. What's your thoughts on this?
I did overlook Splunk Mint, thanks for the suggestion!!!