Splunk Search

Export Windows Event LOG

robertocapizzo9
Loves-to-Learn

Hi,
I need to import the security and application logs of many windows servers to splunk, but for security reasons I cannot install a splunk universal forwarder instance, I read on the splunk documentation that it is not recommended to use wmi to import the logs .. .
What do you recommend?

thanks!

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Start by telling your Security people that you'll be using Splunk to monitor WinEventLog:Security, which will *enhance* the security of those servers.  They probably won't care, but at least then you'll know what hypocrites they are.

Another possibility is to forward the Windows events to another server that can run a UF.  See https://docs.microsoft.com/en-us/windows/security/threat-protection/use-windows-event-forwarding-to-... for more about event forwarding.

Still another possibility that I've never seen done is to forward the Windows events in HTTP protocol directly to a HEC input.  See the same link above.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...