Splunk Enterprise

Indexing Windows security log from Search Head, Indexers and Cluster Master

New Member

We have a Splunk environment with 1 Search Head/Deployment Server, 1 Cluster Master and 2 Indexers. We are also using the Splunk_TA_windows app

All other windows servers are running the Universal Forwarder. The configuration deployed from the deployment servers takes care of configuring the Universal Forwarders.

The Splunk servers themselves do have the Universal Forwarder (since they are allready Heavy Forwarders). How can I configure these servers to all forwarderd their (windows security) data so that it will be indexed?

Thanks in advance

Tags (1)
0 Karma



Every server with Splunk Enterprise installed on it can and does already read its own logs and pass them to the Indexers. You can see that with index=_*

DO NOT install the Universal Forwarder on any servers that already have Splunk Enterprise installed on (such as an Indexer).

You can use the Cluster Master to put the Splunk_TA_Windows app onto the Indexers. I do something similar with the Splunk_TA_Nix to get the logs from my Linux Indexers.

Just be careful about what you enable within the TA, as if you enable too many inputs, you could get some performance issues where you need outright speed.

Best thing, though, is that you might want to create a small Dev VM environment to test, if your current system is in Production and you need to keep the Indexers ok.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!