Splunk Enterprise

Using UF as windows syslog forwarder

PickleRick
SplunkTrust
SplunkTrust

It's a bit off-topic but I have a kinda unusual use case. I want to get the events out of windows box and store it on a linux machine (in this particular case it's windows VM and I want to export the events to the hypervisor).

Of course for linux it's easiest to receive syslog messages but as we all know, Windows doesn't have built-in syslog server and you can't easily get the events with built-in windows tools to push through syslog channel.

So far I've been using the free SolarWinds Event Log Forwarder but it has its flaws - most notably it has problems with starting automatically with the Windows machine. It ends up with the process started but it's not forwarding events unless I manually disable and re-enable the subscriptions. That's unacceptable.

So I was thinking that maybe I should just install UF and instead of using splunk-tcp output just push events with plain tcp output to a syslog server. Anyone has experience with it?

The upside to this is that I know that UF works relatively reliably and I wouldn't have to worry about it too much.

The downside is that I would have to define a separate input for each event log channel (but I think I'd simply script it and have it run every few days to synchronise eventlog channels with inputs.conf).

I could of course set up whole Splunk Free environment on my hypervisor but it would be a huuuuuge overkill.

Any hints for the UF installation/configuration?

Labels (1)
0 Karma
1 Solution

JacekF
Path Finder

A few years back I was using nxlog to send Windows Event Log data to external log collecting systems. It can send logs to syslog and I remember it as being rather reliable.

Converting and Forwarding Windows Event Log via Syslog for Log Collection (nxlog.co)

View solution in original post

PickleRick
SplunkTrust
SplunkTrust

Bah.

Forgot that syslog output is not available on UF.

But I might try with http output and imhttp rsyslog module.

I'll test it some time next week probably.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

It seems that rsyslog's imhttp module is not that easy to get - it's not distributed with binary packages and I definitely have no time to rebuild whole packages (and look for civetweb that the module relies on and compiling that).

So it seems the UF->rsyslog option is not really viable for me.

0 Karma

JacekF
Path Finder

A few years back I was using nxlog to send Windows Event Log data to external log collecting systems. It can send logs to syslog and I remember it as being rather reliable.

Converting and Forwarding Windows Event Log via Syslog for Log Collection (nxlog.co)

PickleRick
SplunkTrust
SplunkTrust

Thanks for the hint. I will probably check it out. But since I had my idea, I think I will check the UF setup as well 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...