Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Not clear about heavy forwarder

mindterrian
New Member
‎01-23-2019 04:51 AM

Hi

Now i want to specific winevent log and use Universal Forwader to send log to Splunk Enterprise such as security event which have task category = File Share.
I see suggestion to install heavy forwarder and don't understand about heavy forwarder. (https://docs.splunk.com/Documentation/Splunk/7.2.3/Forwarding/Deployaheavyforwarder)

It's mean install software of Splunk Enterprise on Windows Server that i want to collect log and Configure forwarding to send log to main Splunk Enterprise?

Thank you

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎01-23-2019 05:12 AM

To answer your question directly.

No.
The simplest way to collect log data from windows systems is to install a universal forwarder on each of the windows servers/workstations you want to collect from. (Yes there are other ways, but a UF is far simpler)
You then need to configure the UF to collect the logs you are interested in.
If you need to filter 'out' some of the uninteresting events, there is a basic filtering system using black/white lists which you can employ to do this. In this case you would not need a heavy forwarder.

If you have specific (complicated) filtering requirements, you may consider installing an additional heavy forwarder, which your UF will send its logs to first, before the HF sends the data to your indexers.
This approach gives you a lot more control over the filtering and routing of events, however in most use cases, this is unnecessary, but unless you have specific (filtering/pre-processing/network) requirements, is not necessary.

If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎01-23-2019 05:12 AM

To answer your question directly.

No.
The simplest way to collect log data from windows systems is to install a universal forwarder on each of the windows servers/workstations you want to collect from. (Yes there are other ways, but a UF is far simpler)
You then need to configure the UF to collect the logs you are interested in.
If you need to filter 'out' some of the uninteresting events, there is a basic filtering system using black/white lists which you can employ to do this. In this case you would not need a heavy forwarder.

If you have specific (complicated) filtering requirements, you may consider installing an additional heavy forwarder, which your UF will send its logs to first, before the HF sends the data to your indexers.
This approach gives you a lot more control over the filtering and routing of events, however in most use cases, this is unnecessary, but unless you have specific (filtering/pre-processing/network) requirements, is not necessary.

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

mindterrian
New Member
‎01-23-2019 05:16 AM

Hi

Ok then how to using black/white lists for specific security event which have task category = File Share.

Thank you

0 Karma
Reply
Solved! Jump to solution

nickhills
Ultra Champion
‎01-23-2019 05:42 AM

If you want to exclude certain events you can use something like:

[WinEventLog://Security]
blacklist1 = TaskCategory="^Kernel"
blacklist2 = EventCode="4663" Message="NT AUTHORITY\\SYSTEM"
blacklist3 = 4634,4656,4658,4662,4673,4674
blacklist4 = EventCode="4688" Message="conhost"

See: https://docs.splunk.com/Documentation/Splunk/7.2.3/admin/inputsconf#Event_Log_whitelist_and_blacklis...

If you only want "File Share" events try instead a single whiteliste statement like

whitelist1 = "File Share"
If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

mindterrian
New Member
‎01-23-2019 07:06 AM

I should edit file on path \SplunkUniversalForwarder\etc\system\default ?

0 Karma
Reply
Solved! Jump to solution

mindterrian
New Member
‎01-23-2019 07:29 AM

Thank you nickhillscpl

I'm test edit file input.conf on path \SplunkUniversalForwarder\etc\system\default by Notepad++ and it's work!!!

----------This is edit test----------

[WinEventLog://Security]
blacklist1 = TaskCategory="Logon"

0 Karma
Reply
Solved! Jump to solution

nickhills
Ultra Champion
‎01-23-2019 08:07 AM

You shouldn't edit ./default - you should make changes in ./local

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

dkeck
Influencer
‎01-23-2019 04:57 AM

HI,

please see this doc, this is all you need 🙂

https://docs.splunk.com/Documentation/Splunk/7.2.3/Forwarding/Deployaheavyforwarder

0 Karma
Reply
Solved! Jump to solution

mindterrian
New Member
‎01-23-2019 07:09 AM

Yes i read that document and not clear.
Heavy Forwarder mean Splunk Enterprise that create for collect log only?

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...