Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Should I stay away from Windows Event Log when Im setting up custom data inputs?

sideview
SplunkTrust
SplunkTrust
‎10-05-2010 11:41 PM

We're setting up a custom data input and I'm wondering whether it's a bad idea to just write everything to WinEventLog, and then have Splunk index it from there. From the .NET side this seems like a very cheap and simple way to go, whereas setting it up as a scripted input in this case will actually require a bit more work.

But we're concerned that this will be an awful performance bottleneck, or worse that it'll look great for a while and then fail catastrophically under load someday.

It'll be quite a lot of data coming through this path and maybe Windows Event Log is only a good solution if you're dealing with tiny data...

Thanks in advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎10-06-2010 07:32 AM

Windows Event Log inputs work just fine, even under high (AD Server for large domains under high levels of auditing) loads. What doesn't work fine under high volumes is trying to collect Windows Event Logs over WMI.

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎10-06-2010 07:32 AM

Windows Event Log inputs work just fine, even under high (AD Server for large domains under high levels of auditing) loads. What doesn't work fine under high volumes is trying to collect Windows Event Logs over WMI.

Reply
Solved! Jump to solution

southeringtonp
Motivator
‎10-06-2010 02:56 AM

Can you provide some more detail about the application?

You say you're setting up an input, but then reference .NET - are you working with an existing .NET application and (potentially) writing code?

If so, then the first thing is to choose a logging framework such as log4net or the one provided by the .NET Enterprise library, and then decide where to send the logs in the configuration. Make the decision one of configuration, not code.

If you're not writing code, look to see if such a framework has already been used.

Personally I'd have it send to a TCP or UDP socket, in part to simplify sourcetype assignment. I suspect that the load will be lower, but that it won't really matter until you reach some particular threshold level. As long as it's configurable though, it's not likely to be a major issue since you can easily change your mind later if you decide to go through the Windows Event Log for the time being.

If this isn't what you're looking for at all, can you clarify?

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...