Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How to configure a Splunk Universal Forwarder ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I have successfully configured the Splunk Universal Forwarder on a Windows machine to send WinEventLog: System, Security, and Application logs to a specific index. Now, I need to include logs from sourcetype = 'ActiveDirectory'.
Could you please guide me through the necessary steps to specify the index for Active Directory logs in the configuration files inputs.conf
[WinEventLog://Application] disabled=0 index = test
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @BRFZ ,
at first, why do you want to send logs to a different index?
index is usually choosed based on two parameters: retention and access grants.
An index isn't a database table in which put omogenous logs, if you have all logs with the same retention period and the same access grants, you could also put them in the same index.
The parameter that define a data flow is the sourcetype not the index!
Anyway, how do you take logs from Active Directory?
if you have a dedicated input in inpus.conf, enable it and assign the different index.
if you want to send to this different index part of the wineventogs, you cannot do this on the Universal Forwarder, but you have to override the index values on Indexers, but as I said, it's unuseful!
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @BRFZ ,
at first, why do you want to send logs to a different index?
index is usually choosed based on two parameters: retention and access grants.
An index isn't a database table in which put omogenous logs, if you have all logs with the same retention period and the same access grants, you could also put them in the same index.
The parameter that define a data flow is the sourcetype not the index!
Anyway, how do you take logs from Active Directory?
if you have a dedicated input in inpus.conf, enable it and assign the different index.
if you want to send to this different index part of the wineventogs, you cannot do this on the Universal Forwarder, but you have to override the index values on Indexers, but as I said, it's unuseful!
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @gcusello ,
I don't want to specify a particular index for each sourcetype, but I do want the host to send these logs to a specific index. The sourcetypes I have include WinEventLog:Security, WinEventLog:System, WinEventLog:Application et ActiveDirectory Monitoring.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @BRFZ ,
sorry but I don't understand:
in the Splunk_TA_windows inputs.conf there are some stanzas for Active Directory:
###### WinEventLog Inputs for Active Directory ######
## Application and Services Logs - DFS Replication
[WinEventLog://DFS Replication]
disabled = 1
renderXml=true
## Application and Services Logs - Directory Service
[WinEventLog://Directory Service]
disabled = 1
renderXml=true
## Application and Services Logs - File Replication Service
[WinEventLog://File Replication Service]
disabled = 1
renderXml=true
## Application and Services Logs - Key Management Service
[WinEventLog://Key Management Service]
disabled = 1
renderXml=true
###### WinEventLog Inputs for DNS ######
[WinEventLog://DNS Server]
disabled=1
renderXml=true
###### DHCP ######
[monitor://$WINDIR\System32\DHCP]
disabled = 1
whitelist = DhcpSrvLog*
crcSalt = <SOURCE>
sourcetype = DhcpSrvLogyou could enable them (disable = 0) and add a row with the index in which store the data in each stanza.
what's the issue?
Anyway, think about what I said in my previous answer: why use a different index?
Ciao.
Giuseppe
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
How to find the worst searches in your Splunk environment and how to fix them
Share Your Feedback: On Admin Config Service (ACS)!
Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon
