Getting Data In

Universal forwarder on Windows servers

pfabrizi
Path Finder

We are in the process of planning our Splunk deployment. We have some where around 5,000 Windows servers that will be using the UF to forward. Currently in our DEV space we are sending to the indexer with no filtering of events. We are doing an exercise to collect only what we need to report or correlate, so our plan is to send to a heavy forwarder.

Can I filter at the heavy forwarder for Windows?

Are there some docs to help me with configuration?

0 Karma
1 Solution

adonio
Ultra Champion

why would you like to add the HF?
you can filter ob the UF that is on the windows host and control the configurations from one point - a Deployment Server.
as a rule of thumb, try to avoid using HF unless its a must.
to your question, yes, you can filter on HF, and there are plenty of docs and answers around it.
here is an example from docs, start here and read more how to scale to thousands of hosts:
http://docs.splunk.com/Documentation/Splunk/6.6.3/Data/HowtogetWindowsdataintoSplunk
answers how to filter data with HF (example):
https://answers.splunk.com/answers/173863/how-to-configure-a-heavy-forwarder-to-filter-out-d.html
from docs read here all the way:
http://docs.splunk.com/Documentation/Splunk/6.6.3/Forwarding/Aboutforwardingandreceivingdata
hope it helps

View solution in original post

0 Karma

adonio
Ultra Champion

why would you like to add the HF?
you can filter ob the UF that is on the windows host and control the configurations from one point - a Deployment Server.
as a rule of thumb, try to avoid using HF unless its a must.
to your question, yes, you can filter on HF, and there are plenty of docs and answers around it.
here is an example from docs, start here and read more how to scale to thousands of hosts:
http://docs.splunk.com/Documentation/Splunk/6.6.3/Data/HowtogetWindowsdataintoSplunk
answers how to filter data with HF (example):
https://answers.splunk.com/answers/173863/how-to-configure-a-heavy-forwarder-to-filter-out-d.html
from docs read here all the way:
http://docs.splunk.com/Documentation/Splunk/6.6.3/Forwarding/Aboutforwardingandreceivingdata
hope it helps

0 Karma

pfabrizi
Path Finder

If I sent Windows security log to a HF, would need to go to a log file like I do for syslog?

so for my ASA I have a splunk.conf in RSYSLOG that looks for the IP of the device and then writes the syslog to a cisco.log file which then we monitor that file to forward to the indexer.

I have props.conf and transforms.conf that filter out the debug events. Is this how windows would need to be done versus filtering at the windows device?

Thanks!

0 Karma

adonio
Ultra Champion

it wont, you will use the HF tcp input and tcp output to the indexer
you will still have inputs.conf, props.conf and transforms.conf
your rules will probably by host as the sourcetypes for windows are the same

0 Karma

pfabrizi
Path Finder

The reason I was looking to filter at the forwarder was that I have 5,000 windows devices and if I filtered at the windows server (which I know you can) and needed to allow a filtered event to now flow I would need to touch all 5,000 devices via our software distribution which would take months with no idea if they were all successful.

so can I configure at the deployment server windows to collect say 20 specific security event codes and then deploy that configuration to all 5,000 devices?

Thanks!

0 Karma

adonio
Ultra Champion

absolutely, and will also be easier,
it is better (and easier on all systems) to just collect what you need and then you eliminate extra load on collection and avoid filtering.
you can group your windows hosts to server classes and deploy the needed inputs by group
read here more regarding Deployment Server.
SPlunk scales really well like that and allows you to control what you bring in
http://docs.splunk.com/Documentation/Splunk/6.6.3/Updating/Aboutdeploymentserver
best practice here will be to use tha TA dor windows (or AD, DC) and modify the prebuilt inputs according to your will.
create separate apps for different groups and control inputs.
good luck

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...