I am trying to understand how to set up Splunk for the first time. I have several Server VMs (exchange, DC, SCCM, Splunk) and about 70 workstations.
I want to use Splunk to audit my workstations' event logs. This is a high level overview on how I understand that to occur:
Am I understanding this correctly?
You have the general idea. Allow me to add some tips.
1) Run Splunk Enterprise on a Linux server if you can. You'll be much happier if you do.
2) If you run Splunk on Windows, don't use a domain account.
3) The Universal Forwarders should get their configuration files from a Splunk Deployment Server (DS). Using a DS means you don't need to sign in to each server/workstation to update the UF configs.
4) You don't say how many users will be using Splunk or what hardware Splunk will be on, but I expect you will quickly outgrow a standalone Splunk server. If this is not just a sandbox, consider setting up a distributed environment with separate search head and indexer servers.
in addition to all the hints of @richgalloway , I suggest to create a Technical Add-on (called e.f. TA_Forwarders): it's an app containing only two files:
The first one contains the address of the Deployment Server (remember that if you have to manage more than 50 target servers you must have a dedicated server for this role!).
The second one contains the addresses of the indexers.
In this way you can manage all the configurations by Deployment Server.
The problem is how to rich the Deployment Server for the first time: for this reason, I usually copy this app (TA_Forwarders) on each target server (and I restart Splunk on UF), so it's connected with the Deployment Server and I can deploy to all the UFs the TAs I need.