Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Recommended R-Syslog equivalent collector for Windows systems.

offspringinc
Engager
‎02-18-2020 07:54 AM

Hello,

We have a relatively small network on a remote location that needs to forward logs onto our Splunk Instance, this remote system has particularly low bandwidth per its location.

During our Splunk original architecture call we were advised to setup a syslog collector on this remote network, and setup a scheduled time were logs can be forwarded to the Main Splunk instance for indexing with the idea being setting this task for overnight hours.

Since ALL systems are Windows based in this remote location, the current question we face is, in your experience - Which is the preferred syslog collector for Windows that will easily integrate with Splunk?
is Syslog-NG the best/most common application for this task?

thank you,

Reply

offspringinc
Engager
‎02-19-2020 10:16 AM

Yes, that may be a good option and because our limited bandwidth is our biggest challenge, to the tune of 1mb up/down rural and unsteady speeds we really need to limit log forwarding to a specific time of night.

Another point I forgot to note is that we'll be 'eventually' adding networking devices such as Firewall, Network Switches, and a VPN appliance, these will need a syslog server.
We use R-Syslog on our parent network, and for that reason we're looking at alternatives that have worked well for you guys to use with Splunk from a Windows System, unfortunately standing up a Linux server is not an option in this environment.

Any other syslog servers recommendations welcomed.

Thank you folks.

0 Karma
Reply

mydog8it
Builder
‎02-19-2020 10:01 AM

Perhaps you should consider using Windows Event Forwarding to a local server (https://docs.microsoft.com/en-us/advanced-threat-analytics/configure-event-collection) and use a Splunk forwarder to send the logs to your Splunk instance. To meet your need to send the logs off-hours, write a powershell script to enable/disable splunkd as required to meet your transmission requirements.

Reply

isoutamo
SplunkTrust
SplunkTrust
‎02-19-2020 09:46 AM

Hi

If all those hosts are windows then maybe the easiest way is put one or more heavy/universal forwarders there as “gateway forwarder”. Then point all other UFs to send to those and those relay events to your main site.

R. Ismo

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...