Splunk Enterprise

Collect Windows/Linux logon events



I have some newbie questions. We need to collect Windows/Linux logon events and send them to another system using a forwarder.

1. For Windows, we understand that the options for collecting events logs are: (i) Install a forwarder on each Windows machine (ii) Collect the logs remotely over WinRM using a heavy forwarder. Is this correct or are we missing some options? What is the most common way? In case a forwarder is installed on each machine, each one will send the data to the indexer or is it common to use a central forwarder and send to the indexer from there?

2. Are the options similar in Linux? What the common way?

3. The other system will need to correlate the events with a list of machines it gets from somewhere else, where the machines might appear the IP address or the hostname, and it has no way to perform DNS lookups. Is it possible to configure Splunk to forward both IP and hostname/FQDN as part of the event?

Thanks, Gabriel

Labels (2)
0 Karma
Get Updates on the Splunk Community!

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...