new splunk
i want to get syslog in splunk, should i install 3rd party app to get syslog? or any other way to get syslog from windows
i am using windows 10
Hi @rockzers ,
As far as I know, Windows does not natively support sending logs via syslog.
The only way I know is to get the Windows logs, without using an agent, is the WMI which, however, I don't like very much as it requires a user with domain admin rights.
i don't know if there's a third party product to send syslogs from Windows, always remembering that syslog isn't an efficient and secure way to take syslogs.
My suggestion is to try to use the agent (Splunk Universal Forwarder) as much as possible: it is not very invasive, consumes very few resources and provides additional features such as local caching, autoloadbalancing, network bandwidth optimization, etc ...
Ciao.
Giuseppe
Hi @rockzers ,
As far as I know, Windows does not natively support sending logs via syslog.
The only way I know is to get the Windows logs, without using an agent, is the WMI which, however, I don't like very much as it requires a user with domain admin rights.
i don't know if there's a third party product to send syslogs from Windows, always remembering that syslog isn't an efficient and secure way to take syslogs.
My suggestion is to try to use the agent (Splunk Universal Forwarder) as much as possible: it is not very invasive, consumes very few resources and provides additional features such as local caching, autoloadbalancing, network bandwidth optimization, etc ...
Ciao.
Giuseppe
Hi @rockzers,
good for you, see next time!
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated by all the contributors 😉
It does not require domain admin but requires some tricky permission settings (especially if you want to limit access to particular eventlogs - that's a terrible experience with windows anyway regardless of WMI or not).
Anyway, if you run a UF locally, you still need pretty elevated permissions anyway (and most people just run the forwarder with Local System privileges).
Hi @gcusello
Example:
This scenario is ESXI server (client) access to another windows machine and then get log collector to check login event
so Splunk Universal Forward works for this scenario?
It wouldn't work that way even with syslog. Since syslog works in push mode, you can't "connect to a server to get logs".
You're mixing many different things here.
Usually different "kinds" of solutions (linux, Windows, ESXi, network equipment and so on) need different ways of pulling logs from or listening for logs pushed from them. And you often can't mix systemx in the way. Which means you can't natively pull windows logs from a machine running Linux or ESXi.
Hi @rockzers,
if you can install the UF on your windows server, you can easily take logs.
If you want to take ESXi logs, directly from the VM-Ware server, you could enable syslog from it.
I'm not an ESXi specialist, so I'm not able to guide you in this configuration, but I saw a colleague and I found it easy to configure ESXi to send syslogs to Splunk.
Ciao.
Giuseppe
Hi @gcusello
Esxi server client only accesses My windows machine and does not need any syslog from Esxi
in splunk i need to collect my windows machine login event (like if esxi server people access my windows machine only for specific ip user authentication to access my window) then i need to do it in splunk for SIEM login event