Getting Data In

What is the best practice for collecting Windows Event Logs?

arechenberg
Explorer

Windows event logs can be gathered both via WinEventLog in inputs.conf and also via WMI and event_log_file in wmi.conf

Does anyone have a best practice for collecting Windows event logs? Which method incurs more of an overhead on the system?

Thanks in advance.

Cheers,
Andy

0 Karma
1 Solution

adauria_splunk
Splunk Employee
Splunk Employee

Security and performance issues with wmi are pretty well documented on the internet - not Splunk's implementation, per se, but in general. Even if those aren't relevant in your deployment, most Splunk apps that rely on Windows event data are looking for it in the format gathered with the standard WinEventLog method.

I will echo the previous reply and suggest that you use the standard Splunk Windows technical add on (TA) as the prefer method of collecting Windows data. WMI is best suited to situations were you cannot install a universal forwarder and you already have a WMI infrastructure in place.

You can also think of it like this: WinEventLog is for collecting events locally generated on the host with the universal forwarder, while WMI can be used for remote event collection from Windows systems that can't install a forwarder for whatever reason.

View solution in original post

aaraneta_splunk
Splunk Employee
Splunk Employee

@arechenberg - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post and upvote anything that was helpful. If no, please leave a comment with more feedback. Thanks.

0 Karma

adauria_splunk
Splunk Employee
Splunk Employee

Security and performance issues with wmi are pretty well documented on the internet - not Splunk's implementation, per se, but in general. Even if those aren't relevant in your deployment, most Splunk apps that rely on Windows event data are looking for it in the format gathered with the standard WinEventLog method.

I will echo the previous reply and suggest that you use the standard Splunk Windows technical add on (TA) as the prefer method of collecting Windows data. WMI is best suited to situations were you cannot install a universal forwarder and you already have a WMI infrastructure in place.

You can also think of it like this: WinEventLog is for collecting events locally generated on the host with the universal forwarder, while WMI can be used for remote event collection from Windows systems that can't install a forwarder for whatever reason.

sloshburch
Splunk Employee
Splunk Employee

Further supporting this point is the inclusion of this topic over in the docs within the Considerations for deciding how to monitor remote Windows data page. See the sections Splunk forwarders versus WMI and Use a forwarder to collect remote Windows data.

0 Karma

arechenberg
Explorer

Thanks for the reply adauria. Your response somewhat answers my question.

One clarification, since WMI can be executed locally by the Splunk Universal Forwarder, my question leans more toward a performance best practice for collecting local event log data.

The original subject of the query was more along those lines however a Splunk moderator changed the subject so it doesn't really reflect the type of information for which I'm looking.

Basically, is the WinEventLog method of collecting event logs more or less efficient (in terms of system overhead) than using WMI and event_log_file

Thanks again

0 Karma

adauria_splunk
Splunk Employee
Splunk Employee

WinEventLog is almost always going to be preferred over WMI. The only advantage WMI has is that it supports remote event collection. On the local system running a Universal Forward, WinEventLog is going to be more efficient and provide events in a format compatible with more of apps that use it on Splunkbase.

You should also consider using the Splunk Windows Technology Add-On (TA) for Windows event collection. This add on is a plug in to the Universal Forward that collect Windows events as well as other optional elements (e.g. perfmon counters, etc.). It uses the WinEventLog format. Again, besides the performance benefits of collecting events directly (as opposed to WMI, local or otherwise), it delivers events to your Splunk server(s) in a format compatibility with most of the Splunkbase apps that rely on Windows events.

0 Karma

gcusello
SplunkTrust
SplunkTrust

I usually prefer wineventlog using Splunk Add-on for Windows deployed using a Deployment Server
Bye.
Giuseppe

arechenberg
Explorer

Thanks for the response Giuseppe. Are you able to provide rationale for preferring this method over WMI?

0 Karma

satishsdange
Builder
0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...