Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is the best practice for collecting Windows Event Logs?

arechenberg
Explorer
‎01-30-2017 09:08 AM

Windows event logs can be gathered both via WinEventLog in inputs.conf and also via WMI and event_log_file in wmi.conf

Does anyone have a best practice for collecting Windows event logs? Which method incurs more of an overhead on the system?

Thanks in advance.

Cheers,
Andy

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

adauria_splunk
Splunk Employee
Splunk Employee
‎01-31-2017 04:27 AM

Security and performance issues with wmi are pretty well documented on the internet - not Splunk's implementation, per se, but in general. Even if those aren't relevant in your deployment, most Splunk apps that rely on Windows event data are looking for it in the format gathered with the standard WinEventLog method.

I will echo the previous reply and suggest that you use the standard Splunk Windows technical add on (TA) as the prefer method of collecting Windows data. WMI is best suited to situations were you cannot install a universal forwarder and you already have a WMI infrastructure in place.

You can also think of it like this: WinEventLog is for collecting events locally generated on the host with the universal forwarder, while WMI can be used for remote event collection from Windows systems that can't install a forwarder for whatever reason.

View solution in original post

Reply
Solved! Jump to solution

aaraneta_splunk
Splunk Employee
Splunk Employee
‎02-11-2017 11:22 PM

@arechenberg - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post and upvote anything that was helpful. If no, please leave a comment with more feedback. Thanks.

0 Karma
Reply
Solved! Jump to solution
Solution

adauria_splunk
Splunk Employee
Splunk Employee
‎01-31-2017 04:27 AM

Security and performance issues with wmi are pretty well documented on the internet - not Splunk's implementation, per se, but in general. Even if those aren't relevant in your deployment, most Splunk apps that rely on Windows event data are looking for it in the format gathered with the standard WinEventLog method.

I will echo the previous reply and suggest that you use the standard Splunk Windows technical add on (TA) as the prefer method of collecting Windows data. WMI is best suited to situations were you cannot install a universal forwarder and you already have a WMI infrastructure in place.

You can also think of it like this: WinEventLog is for collecting events locally generated on the host with the universal forwarder, while WMI can be used for remote event collection from Windows systems that can't install a forwarder for whatever reason.

Reply
Solved! Jump to solution

sloshburch
Splunk Employee
Splunk Employee
‎04-12-2019 01:30 PM

Further supporting this point is the inclusion of this topic over in the docs within the Considerations for deciding how to monitor remote Windows data page. See the sections Splunk forwarders versus WMI and Use a forwarder to collect remote Windows data.

0 Karma
Reply
Solved! Jump to solution

arechenberg
Explorer
‎02-12-2017 03:01 PM

Thanks for the reply adauria. Your response somewhat answers my question.

One clarification, since WMI can be executed locally by the Splunk Universal Forwarder, my question leans more toward a performance best practice for collecting local event log data.

The original subject of the query was more along those lines however a Splunk moderator changed the subject so it doesn't really reflect the type of information for which I'm looking.

Basically, is the WinEventLog method of collecting event logs more or less efficient (in terms of system overhead) than using WMI and event_log_file

Thanks again

0 Karma
Reply
Solved! Jump to solution

adauria_splunk
Splunk Employee
Splunk Employee
‎02-12-2017 03:31 PM

WinEventLog is almost always going to be preferred over WMI. The only advantage WMI has is that it supports remote event collection. On the local system running a Universal Forward, WinEventLog is going to be more efficient and provide events in a format compatible with more of apps that use it on Splunkbase.

You should also consider using the Splunk Windows Technology Add-On (TA) for Windows event collection. This add on is a plug in to the Universal Forward that collect Windows events as well as other optional elements (e.g. perfmon counters, etc.). It uses the WinEventLog format. Again, besides the performance benefits of collecting events directly (as opposed to WMI, local or otherwise), it delivers events to your Splunk server(s) in a format compatibility with most of the Splunkbase apps that rely on Windows events.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎01-30-2017 09:22 AM

I usually prefer wineventlog using Splunk Add-on for Windows deployed using a Deployment Server
Bye.
Giuseppe

Reply
Solved! Jump to solution

arechenberg
Explorer
‎01-30-2017 10:10 AM

Thanks for the response Giuseppe. Are you able to provide rationale for preferring this method over WMI?

0 Karma
Reply
Solved! Jump to solution

satishsdange
Builder
‎02-12-2017 09:53 PM

I guess you are looking for this link - http://docs.splunk.com/Documentation/Splunk/latest/Data/ConsiderationsfordecidinghowtomonitorWindows...

0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...