Hello,
I have successfully configured the Splunk Universal Forwarder on a Windows machine to send WinEventLog: System, Security, and Application logs to a specific index. Now, I need to include logs from sourcetype = 'ActiveDirectory'.
Could you please guide me through the necessary steps to specify the index for Active Directory logs in the configuration files inputs.conf
[WinEventLog://Application] disabled=0 index = test
Hi @BRFZ ,
at first, why do you want to send logs to a different index?
index is usually choosed based on two parameters: retention and access grants.
An index isn't a database table in which put omogenous logs, if you have all logs with the same retention period and the same access grants, you could also put them in the same index.
The parameter that define a data flow is the sourcetype not the index!
Anyway, how do you take logs from Active Directory?
if you have a dedicated input in inpus.conf, enable it and assign the different index.
if you want to send to this different index part of the wineventogs, you cannot do this on the Universal Forwarder, but you have to override the index values on Indexers, but as I said, it's unuseful!
Ciao.
Giuseppe
Hi @BRFZ ,
at first, why do you want to send logs to a different index?
index is usually choosed based on two parameters: retention and access grants.
An index isn't a database table in which put omogenous logs, if you have all logs with the same retention period and the same access grants, you could also put them in the same index.
The parameter that define a data flow is the sourcetype not the index!
Anyway, how do you take logs from Active Directory?
if you have a dedicated input in inpus.conf, enable it and assign the different index.
if you want to send to this different index part of the wineventogs, you cannot do this on the Universal Forwarder, but you have to override the index values on Indexers, but as I said, it's unuseful!
Ciao.
Giuseppe
Hello @gcusello ,
I don't want to specify a particular index for each sourcetype, but I do want the host to send these logs to a specific index. The sourcetypes I have include WinEventLog:Security, WinEventLog:System, WinEventLog:Application et ActiveDirectory Monitoring.
Hi @BRFZ ,
sorry but I don't understand:
in the Splunk_TA_windows inputs.conf there are some stanzas for Active Directory:
###### WinEventLog Inputs for Active Directory ######
## Application and Services Logs - DFS Replication
[WinEventLog://DFS Replication]
disabled = 1
renderXml=true
## Application and Services Logs - Directory Service
[WinEventLog://Directory Service]
disabled = 1
renderXml=true
## Application and Services Logs - File Replication Service
[WinEventLog://File Replication Service]
disabled = 1
renderXml=true
## Application and Services Logs - Key Management Service
[WinEventLog://Key Management Service]
disabled = 1
renderXml=true
###### WinEventLog Inputs for DNS ######
[WinEventLog://DNS Server]
disabled=1
renderXml=true
###### DHCP ######
[monitor://$WINDIR\System32\DHCP]
disabled = 1
whitelist = DhcpSrvLog*
crcSalt = <SOURCE>
sourcetype = DhcpSrvLog
you could enable them (disable = 0) and add a row with the index in which store the data in each stanza.
what's the issue?
Anyway, think about what I said in my previous answer: why use a different index?
Ciao.
Giuseppe