Splunk Enterprise

Indexing Windows security log from Search Head, Indexers and Cluster Master

coenvandijk
New Member

We have a Splunk environment with 1 Search Head/Deployment Server, 1 Cluster Master and 2 Indexers. We are also using the Splunk_TA_windows app

All other windows servers are running the Universal Forwarder. The configuration deployed from the deployment servers takes care of configuring the Universal Forwarders.

The Splunk servers themselves do have the Universal Forwarder (since they are allready Heavy Forwarders). How can I configure these servers to all forwarderd their (windows security) data so that it will be indexed?

Thanks in advance
Coen

Tags (1)
0 Karma

BlueSocket
Communicator

Hi,

Every server with Splunk Enterprise installed on it can and does already read its own logs and pass them to the Indexers. You can see that with index=_*

DO NOT install the Universal Forwarder on any servers that already have Splunk Enterprise installed on (such as an Indexer).

You can use the Cluster Master to put the Splunk_TA_Windows app onto the Indexers. I do something similar with the Splunk_TA_Nix to get the logs from my Linux Indexers.

Just be careful about what you enable within the TA, as if you enable too many inputs, you could get some performance issues where you need outright speed.

Best thing, though, is that you might want to create a small Dev VM environment to test, if your current system is in Production and you need to keep the Indexers ok.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.