Getting Data In

How to configure a Splunk Universal Forwarder to send specific Windows logs to a designated index

BRFZ
Path Finder

Hello,

I have successfully configured the Splunk Universal Forwarder on a Windows machine to send WinEventLog: System, Security, and Application logs to a specific index. Now, I need to include logs from sourcetype = 'ActiveDirectory'.
Could you please guide me through the necessary steps to specify the index for Active Directory logs in the configuration files inputs.conf

[WinEventLog://Application]
disabled=0
index = test

 

Labels (4)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @BRFZ ,

at first, why do you want to send logs to a different index?

index is usually choosed based on two parameters: retention and access grants.

An index isn't a database table in which put omogenous logs, if you have all logs with the same retention period and the same access grants, you could also put them in the same index.

The parameter that define a data flow is the sourcetype not the index!

Anyway, how do you take logs from Active Directory?

if you have a dedicated input in inpus.conf, enable it and assign the different index.

if you want to send to this different index part of the wineventogs, you cannot do this on the Universal Forwarder, but you have to override the index values on Indexers, but as I said, it's unuseful!

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @BRFZ ,

at first, why do you want to send logs to a different index?

index is usually choosed based on two parameters: retention and access grants.

An index isn't a database table in which put omogenous logs, if you have all logs with the same retention period and the same access grants, you could also put them in the same index.

The parameter that define a data flow is the sourcetype not the index!

Anyway, how do you take logs from Active Directory?

if you have a dedicated input in inpus.conf, enable it and assign the different index.

if you want to send to this different index part of the wineventogs, you cannot do this on the Universal Forwarder, but you have to override the index values on Indexers, but as I said, it's unuseful!

Ciao.

Giuseppe

BRFZ
Path Finder

Hello @gcusello ,

I don't want to specify a particular index for each sourcetype, but I do want the host to send these logs to a specific index. The sourcetypes I have include WinEventLog:Security, WinEventLog:System, WinEventLog:Application et ActiveDirectory Monitoring.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @BRFZ ,

sorry but I don't understand:

in the Splunk_TA_windows inputs.conf there are some stanzas for Active Directory:

###### WinEventLog Inputs for Active Directory ######

## Application and Services Logs - DFS Replication
[WinEventLog://DFS Replication]
disabled = 1
renderXml=true

## Application and Services Logs - Directory Service
[WinEventLog://Directory Service]
disabled = 1
renderXml=true

## Application and Services Logs - File Replication Service
[WinEventLog://File Replication Service]
disabled = 1
renderXml=true

## Application and Services Logs - Key Management Service
[WinEventLog://Key Management Service]
disabled = 1
renderXml=true


###### WinEventLog Inputs for DNS ######
[WinEventLog://DNS Server]
disabled=1
renderXml=true


###### DHCP ######
[monitor://$WINDIR\System32\DHCP]
disabled = 1
whitelist = DhcpSrvLog*
crcSalt = <SOURCE>
sourcetype = DhcpSrvLog

you could enable them (disable = 0) and add a row with the index in which store the data in each stanza.

what's the issue?

Anyway, think about what I said in my previous answer: why use a different index?

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...