Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Are the Windows events/logs in storage buckets being copied into Splunk storage or ingesting events from forwarders?

KnoxTech01
New Member
‎07-27-2022 11:03 AM

For the Windows events/logs that end up in the storage buckets on Splunk Enterprise servers, is Splunk copying the original Windows event log files to its own storage, or is it just ingesting events from the forwarders? 

The reason I ask is because our CISO wants our secuity team to retain the original log files for fidelity in case we ever get audited or sued and I feel like we can just setup Splunk to alert us if log files have been cleared. Additionally, if an insider threat were to pull a workstation offline, then clear the logs, we wouldn't have the orignal logs, anyway... 

Does anyone know if there are regulations in any industries that require the original log files?

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-27-2022 12:15 PM

Splunk uses Windows API and WMI (depending on use case) to access event data. If I remember correctly, there was an option to upload an evt file to a splunk instance (not UF!) and ingest it but it must be a Splunk instance running on Windows. I'm not even sure if it still works.

Anyway, even if UF read straight from the windows event log raw files it would still ingest data in rendered format and it would still not affect the original files.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-27-2022 11:30 AM

The Windows event logs in Splunk are copies of Windows event logs stored elsewhere.

Yes, you can set up Splunk to alert if an event log is cleared.  There's a use case for that in Splunk Security Essentials.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...