Getting Data In

How to get Windows syslog and send it to Splunk?

rockzers
Path Finder

new splunk 

i want to get syslog in splunk, should i install 3rd party app to get syslog? or any other way to get syslog from windows 

i am using windows 10

Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @rockzers ,

As far as I know, Windows does not natively support sending logs via syslog.

The only way I know is to get the Windows logs, without using an agent, is the WMI which, however, I don't like very much as it requires a user with domain admin rights.

i don't know if there's a third party product to send syslogs from Windows, always remembering that syslog isn't an efficient and secure way to take syslogs.

My suggestion is to try to use the agent (Splunk Universal Forwarder) as much as possible: it is not very invasive, consumes very few resources and provides additional features such as local caching, autoloadbalancing, network bandwidth optimization, etc ...

Ciao.

Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @rockzers ,

As far as I know, Windows does not natively support sending logs via syslog.

The only way I know is to get the Windows logs, without using an agent, is the WMI which, however, I don't like very much as it requires a user with domain admin rights.

i don't know if there's a third party product to send syslogs from Windows, always remembering that syslog isn't an efficient and secure way to take syslogs.

My suggestion is to try to use the agent (Splunk Universal Forwarder) as much as possible: it is not very invasive, consumes very few resources and provides additional features such as local caching, autoloadbalancing, network bandwidth optimization, etc ...

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @rockzers,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma

PickleRick
SplunkTrust
SplunkTrust

It does not require domain admin but requires some tricky permission settings (especially if you want to limit access to particular eventlogs - that's a terrible experience with windows anyway regardless of WMI or not).

Anyway, if you run a UF locally, you still need pretty elevated permissions anyway (and most people just run the forwarder with Local System privileges).

0 Karma

rockzers
Path Finder

Hi @gcusello 

Example:

This scenario is ESXI server (client) access to another windows machine and then get log collector to check login event

so Splunk Universal Forward works for this scenario?

0 Karma

PickleRick
SplunkTrust
SplunkTrust

It wouldn't work that way even with syslog. Since syslog works in push mode, you can't "connect to a server to get logs".

You're mixing many different things here.

Usually different "kinds" of solutions (linux, Windows, ESXi, network equipment and so on) need different ways of pulling logs from or listening for logs pushed from them. And you often can't mix systemx in the way. Which means you can't natively pull windows logs from a machine running Linux or ESXi.

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @rockzers,

if you can install the UF on your windows server, you can easily take logs.

If you want to take ESXi logs, directly from the VM-Ware server, you could enable syslog from it.

I'm not an ESXi specialist, so I'm not able to guide you in this configuration, but I saw a colleague and I found it easy to configure ESXi to send syslogs to Splunk.

Ciao.

Giuseppe

0 Karma

rockzers
Path Finder

Hi @gcusello 

Esxi server client only accesses My windows machine and does not need any syslog from Esxi

in splunk i need to collect my windows machine login event (like if esxi server people access my windows machine only for specific ip user authentication to access my window) then i need to do it in splunk for SIEM login event

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...