Knowledge Management

How can I forward Windows events without the Splunk forwarder software?

vqd361
Path Finder

Anyone here got some recommendations for forwarding Windows event logs to Splunk without installing the Splunk forwarder software? Is there a good tool to send Windows event logs as syslog events? Our other servers and devices send their syslog data to dedicated Splunk forwarder servers. That works great so my company wants to do the same with our Windows servers.

Before anyone asks: The universal forwarder started eating up 6GB+ RAM out of 8GB on our domain controllers. It's not the first time, so it's gone and it's not coming back. So please no responses telling me to install the splunk forwarder software on the Windows servers.

Thanks.

Tags (1)
0 Karma
1 Solution

lguinn2
Legend

If the universal forwarder was eating over 6GB+ of RAM, it was probably mis-configured. Also, the 6.1 UF collects Windows data a lot more efficiently, so you might want to look again at some future point.

However, if you don't want to use the UF on a windows box, then there are a few choices:

  1. Install the UF on a single Windows box somewhere and use it to do remote data collection. This doesn't scale well, so it works best only in limited situations. Also, you will still have one UF on a Windows box, and since that UF will be doing a lot more work, it will put some load on that Windows box.

  2. Figure out some other way to collect windows data. Snare is a syslog client for Windows, so that might be an option for you. If you go with a "syslog on Windows" option, then it should work a lot like your syslog on Linux.

  3. Set up a log file repository on a SMB share somewhere and have the Windows servers write to it. This has potential performance problems as well, but not due to Splunk. It can be a bottleneck and/or a security risk depending on how you set up the share.

View solution in original post

lguinn2
Legend

If the universal forwarder was eating over 6GB+ of RAM, it was probably mis-configured. Also, the 6.1 UF collects Windows data a lot more efficiently, so you might want to look again at some future point.

However, if you don't want to use the UF on a windows box, then there are a few choices:

  1. Install the UF on a single Windows box somewhere and use it to do remote data collection. This doesn't scale well, so it works best only in limited situations. Also, you will still have one UF on a Windows box, and since that UF will be doing a lot more work, it will put some load on that Windows box.

  2. Figure out some other way to collect windows data. Snare is a syslog client for Windows, so that might be an option for you. If you go with a "syslog on Windows" option, then it should work a lot like your syslog on Linux.

  3. Set up a log file repository on a SMB share somewhere and have the Windows servers write to it. This has potential performance problems as well, but not due to Splunk. It can be a bottleneck and/or a security risk depending on how you set up the share.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...