Splunk Search

How do I search the aggregated event logs of our Splunk servers?

Gregski11
Communicator

I recently learned that it is best practice to use the Monitoring Console to manage our Splunk servers instead of installing Universal Forwarders on them, how then do we run a search across all of our Splunk servers Event Logs to for instance see how long each one was up for?  I have the query and I can run it against all of our other servers that do have the Universal Forwarder installed on them and it works great, but when I query the wineventlog index it finds none of our Splunk servers in it

Labels (1)
0 Karma

gcusello
Legend

Hi @Gregski11,

each Splunk Enterprise installation has the feature to forward logs, so as you can forwardr internal logs as I described in my previous answer.

At the same time you can install the same TAs (e.g. the Splunk_TA_Windows) to take all local logs and send them (with the same forwarding configuration) to Indexers.

In other words: you don't need a Forwarder on a Splunk Enterprise server because it already has this feature; you have to manage log ingestion on them as Forwarders, using TAs (better) or enabling local inputs (I don't like this!).

Ciao.

Giuseppe

Gregski11
Communicator

@gcusello wrote:

Hi @Gregski11,

each Splunk Enterprise installation has the feature to forward logs, so as you can forwardr internal logs as I described in my previous answer.

At the same time you can install the same TAs (e.g. the Splunk_TA_Windows) to take all local logs and send them (with the same forwarding configuration) to Indexers.

In other words: you don't need a Forwarder on a Splunk Enterprise server because it already has this feature; you have to manage log ingestion on them as Forwarders, using TAs (better) or enabling local inputs (I don't like this!).

Ciao.

Giuseppe


Looks like the Splunk Add-on for Windows does not collect Event Logs:

The Splunk Add-on for Windows allows a Splunk software administrator to collect:

  • CPU, disk, I/O, memory, log, configuration, and user data with data inputs.
  • Active Directory and Domain Name Server debug logs from Windows hosts that act as domain controllers for a supported version of a Windows Server. You must configure Active Directory audit policy since Active Directory does not log certain events by default.
  • Domain Name Server debug logs from Windows hosts that run a Windows DNS Server. Windows DNS Server does not log certain events by default, and you must enable debug logging.


    https://docs.splunk.com/Documentation/AddOns/released/Windows/AbouttheSplunkAdd-onforWindows

 

Tags (1)
0 Karma

gcusello
Legend

Hi @Gregski11,

at first check for new versions of this TA,

but anyway, using the TA_Windows it's possible to take many other types of data starting from WinEventLog, check the inputs.conf file on each Splunk Server to see which inputs are enabled.

When you enable these inputs and you enabled forwarding, you'll have in Indexers all logs from all Splunk Servers.

Ciao.

Giuseppe

0 Karma

Gregski11
Communicator

@gcusello wrote:

Hi @Gregski11,

each Splunk Enterprise installation has the feature to forward logs, so as you can forwardr internal logs as I described in my previous answer.

At the same time you can install the same TAs (e.g. the Splunk_TA_Windows) to take all local logs and send them (with the same forwarding configuration) to Indexers.

In other words: you don't need a Forwarder on a Splunk Enterprise server because it already has this feature; you have to manage log ingestion on them as Forwarders, using TAs (better) or enabling local inputs (I don't like this!).

Ciao.

Giuseppe


thank you so much Giuseppe, it appears we do have the Splunk Add-on for Microsoft Windows version 7.0.0 already installed and enabled on our Search Heads (it's not made visible though, but I don't think that matters) I do not see it on our other Splunk servers but they have apps called SplunkForwarder and  SplunkLightForwarder I wonder what those apps do on those servers


Tags (1)
0 Karma
Get Updates on the Splunk Community!

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...