Re: How to collect Windows event logs without inst...

kpavan · ‎04-11-2016

Hi All,

I need to collect the logs from a Windows machine into Splunk without installing any agent (universal forwarder). I just wanted to know how to achieve this in Splunk 6.3 running on RedHat 6.

With ref: http://docs.splunk.com/Documentation/Splunk/6.4.0/Data/MonitorWMIdata?r=searchtip

It says need to install Splunk Enterprise on Windows, but I don't want to install the any software on the servers since my client doesn't want to. So please let me know steps to achieve this.

Thanks!

alemarzu · ‎04-11-2016

Hi kpavan,

You could try doing this
https://code.google.com/archive/p/eventlog-to-syslog/

Hope it helps.

gmerhej_splunk · ‎04-11-2016

You can install Splunk Heavy Forwarder on a windows machine, collect WMI data and forward them to your Splunk Indexers running on RedHat 6.

kpavan · ‎04-11-2016

can't we get without installing HF as well?

gmerhej_splunk · ‎04-11-2016

You will need a Windows machine to collect WMI data.

If your Splunk setup is non-Windows, you'll need a separate Windows instance running HF or UF.

See the paragraph "Search Windows Data on a non-Windows Instance of Splunk Enterprise": http://docs.splunk.com/Documentation/Splunk/6.4.0/Data/ConsiderationsfordecidinghowtomonitorWindowsd...

If you opt for a UF, you cannot configure the WMI from the web interface but you can do the same through the wmi.conf:
http://docs.splunk.com/Documentation/Splunk/6.4.0/Data/MonitorWMIdata

kpavan · ‎04-11-2016

Thanks for your information!

How to collect Windows event logs without installing a universal forwarder?

.conf23 Registration is Now Open!

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Unify Your SecOps with Splunk Mission Control