Getting Data In

What is the best practice for collecting Windows Event Logs?

arechenberg
Explorer

Windows event logs can be gathered both via WinEventLog in inputs.conf and also via WMI and event_log_file in wmi.conf

Does anyone have a best practice for collecting Windows event logs? Which method incurs more of an overhead on the system?

Thanks in advance.

Cheers,
Andy

0 Karma
1 Solution

adauria_splunk
Splunk Employee
Splunk Employee

Security and performance issues with wmi are pretty well documented on the internet - not Splunk's implementation, per se, but in general. Even if those aren't relevant in your deployment, most Splunk apps that rely on Windows event data are looking for it in the format gathered with the standard WinEventLog method.

I will echo the previous reply and suggest that you use the standard Splunk Windows technical add on (TA) as the prefer method of collecting Windows data. WMI is best suited to situations were you cannot install a universal forwarder and you already have a WMI infrastructure in place.

You can also think of it like this: WinEventLog is for collecting events locally generated on the host with the universal forwarder, while WMI can be used for remote event collection from Windows systems that can't install a forwarder for whatever reason.

View solution in original post

aaraneta_splunk
Splunk Employee
Splunk Employee

@arechenberg - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post and upvote anything that was helpful. If no, please leave a comment with more feedback. Thanks.

0 Karma

adauria_splunk
Splunk Employee
Splunk Employee

Security and performance issues with wmi are pretty well documented on the internet - not Splunk's implementation, per se, but in general. Even if those aren't relevant in your deployment, most Splunk apps that rely on Windows event data are looking for it in the format gathered with the standard WinEventLog method.

I will echo the previous reply and suggest that you use the standard Splunk Windows technical add on (TA) as the prefer method of collecting Windows data. WMI is best suited to situations were you cannot install a universal forwarder and you already have a WMI infrastructure in place.

You can also think of it like this: WinEventLog is for collecting events locally generated on the host with the universal forwarder, while WMI can be used for remote event collection from Windows systems that can't install a forwarder for whatever reason.

sloshburch
Splunk Employee
Splunk Employee

Further supporting this point is the inclusion of this topic over in the docs within the Considerations for deciding how to monitor remote Windows data page. See the sections Splunk forwarders versus WMI and Use a forwarder to collect remote Windows data.

0 Karma

arechenberg
Explorer

Thanks for the reply adauria. Your response somewhat answers my question.

One clarification, since WMI can be executed locally by the Splunk Universal Forwarder, my question leans more toward a performance best practice for collecting local event log data.

The original subject of the query was more along those lines however a Splunk moderator changed the subject so it doesn't really reflect the type of information for which I'm looking.

Basically, is the WinEventLog method of collecting event logs more or less efficient (in terms of system overhead) than using WMI and event_log_file

Thanks again

0 Karma

adauria_splunk
Splunk Employee
Splunk Employee

WinEventLog is almost always going to be preferred over WMI. The only advantage WMI has is that it supports remote event collection. On the local system running a Universal Forward, WinEventLog is going to be more efficient and provide events in a format compatible with more of apps that use it on Splunkbase.

You should also consider using the Splunk Windows Technology Add-On (TA) for Windows event collection. This add on is a plug in to the Universal Forward that collect Windows events as well as other optional elements (e.g. perfmon counters, etc.). It uses the WinEventLog format. Again, besides the performance benefits of collecting events directly (as opposed to WMI, local or otherwise), it delivers events to your Splunk server(s) in a format compatibility with most of the Splunkbase apps that rely on Windows events.

0 Karma

gcusello
SplunkTrust
SplunkTrust

I usually prefer wineventlog using Splunk Add-on for Windows deployed using a Deployment Server
Bye.
Giuseppe

arechenberg
Explorer

Thanks for the response Giuseppe. Are you able to provide rationale for preferring this method over WMI?

0 Karma

satishsdange
Builder
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...