Windows event logs can be gathered both via
inputs.conf and also via WMI and
Does anyone have a best practice for collecting Windows event logs? Which method incurs more of an overhead on the system?
Thanks in advance.
I usually prefer wineventlog using Splunk Add-on for Windows deployed using a Deployment Server
Thanks for the response Giuseppe. Are you able to provide rationale for preferring this method over WMI?
Security and performance issues with wmi are pretty well documented on the internet - not Splunk's implementation, per se, but in general. Even if those aren't relevant in your deployment, most Splunk apps that rely on Windows event data are looking for it in the format gathered with the standard WinEventLog method.
I will echo the previous reply and suggest that you use the standard Splunk Windows technical add on (TA) as the prefer method of collecting Windows data. WMI is best suited to situations were you cannot install a universal forwarder and you already have a WMI infrastructure in place.
You can also think of it like this: WinEventLog is for collecting events locally generated on the host with the universal forwarder, while WMI can be used for remote event collection from Windows systems that can't install a forwarder for whatever reason.
Thanks for the reply adauria. Your response somewhat answers my question.
One clarification, since WMI can be executed locally by the Splunk Universal Forwarder, my question leans more toward a performance best practice for collecting local event log data.
The original subject of the query was more along those lines however a Splunk moderator changed the subject so it doesn't really reflect the type of information for which I'm looking.
Basically, is the
WinEventLog method of collecting event logs more or less efficient (in terms of system overhead) than using WMI and
WinEventLog is almost always going to be preferred over WMI. The only advantage WMI has is that it supports remote event collection. On the local system running a Universal Forward, WinEventLog is going to be more efficient and provide events in a format compatible with more of apps that use it on Splunkbase.
You should also consider using the Splunk Windows Technology Add-On (TA) for Windows event collection. This add on is a plug in to the Universal Forward that collect Windows events as well as other optional elements (e.g. perfmon counters, etc.). It uses the WinEventLog format. Again, besides the performance benefits of collecting events directly (as opposed to WMI, local or otherwise), it delivers events to your Splunk server(s) in a format compatibility with most of the Splunkbase apps that rely on Windows events.
Further supporting this point is the inclusion of this topic over in the docs within the Considerations for deciding how to monitor remote Windows data page. See the sections Splunk forwarders versus WMI and Use a forwarder to collect remote Windows data.
@arechenberg - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post and upvote anything that was helpful. If no, please leave a comment with more feedback. Thanks.