Security

Configuring a light forwarder to monitor the Windows event log

dbutch1976
Explorer

Hello,

The script I'm using to install the light forwarder is below:

msiexec.exe /i Splunk.msi SPLUNK_APP="SplunkLightForwarder" FORWARD_SERVER="indexer.mycompany.com:9997" RBG_LOGON_INFO_USER_CONTEXT=2 IS_NET_API_LOGON_USERNAME="DOMAIN\svc-splunkforwarder" IS_NET_API_LOGON_PASSWORD="########" WINEVENTLOGAPPCHECK=0 WINEVENTLOGSECCHECK=1 WINEVENTLOGSYSCHECK=1 WINEVENTLOGFWDCHECK=1 WINEVENTLOGSETCHECK=1 /quiet

My question is, how can I modify this command line so that it only logs certain things? I don't want to roll this out across my enterprise and the be bombarded by logs because it's capturing too much. For example, can I log errors only?

Also,

If I find a configuration I like how will I modify this configuration for all clients that have splunk installed across the enterprise?

Tags (1)
0 Karma

dbutch1976
Explorer

Thanks for the reply. I'll take a look at deployment services. I guess my real question is, since Splunk just monitors certain log files for changes and then forwards the changes to a central store (that's my understanding) is it even possible to modify the forwarder so that it only forwards errors?

0 Karma

JSapienza
Contributor

I'm no expert but I think you need to take a look at using Deployment Server

This is what I use to control who gets which app and the specific inputs . Its a great feature.

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...