As I've said in a previous post, I am new to Splunk so please excuse the newb questions.
I have been tasked with taking over our Splunk project which was installed about 6 years ago and mostly idle ever since. Now I have 2 weeks to get certain dashboards running. Keep in mind I do not have a strong IT background, but I do have people who can assist me.
My question is about what to use to get certain information to the indexing server. When this system was initially set up, consultants came in and used universal forwarders, but they had several problems. One work around was to use SQL Server agent to help collect some of the network data. I'm sure Splunk has grown over the past 6 years, so now I am wondering what I should use, possibly even instead of forwarders. I am thinking about reinstalling Splunk from scratch.
For instance, here are some of the things I want to collect. If someone could point me in a direction as to what to use I would appreciate the help. I've tried searching Splunk Knowledgebase, but there is so much, I'm just now sure which direction to go (which apps to use, etc).
Antivirus update data (I was told they had a problem getting Symantec to play nice in the past)
File auditing after hours
Barracuda backup data
Firewall data (this monitored is on a separate management computer so may not work)
I am afraid to say there's no one answer or a simple answer to your question. You are right about splunk, it changed a lot over the years and now lot of stuff can be done with few clicks / simple configs.
My personal favorites are 1. Convert the old instance as a forwarder to your new instance Or 2. Setup something parallel to the old instance (This instance would be your forwarder/indexers, collecting data from the data sources you've mentioned. Validate, validate and validate...finally shutting down the old instance). Again, there's not going to be a simple answer to your question. We can only post content from our experiences. Hope this helps!