Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I search the aggregated event logs of our Splunk servers?

Gregski11
Contributor
‎06-15-2022 12:10 AM

I recently learned that it is best practice to use the Monitoring Console to manage our Splunk servers instead of installing Universal Forwarders on them, how then do we run a search across all of our Splunk servers Event Logs to for instance see how long each one was up for?  I have the query and I can run it against all of our other servers that do have the Universal Forwarder installed on them and it works great, but when I query the wineventlog index it finds none of our Splunk servers in it

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-15-2022 01:12 AM

Hi @Gregski11,

each Splunk Enterprise installation has the feature to forward logs, so as you can forwardr internal logs as I described in my previous answer.

At the same time you can install the same TAs (e.g. the Splunk_TA_Windows) to take all local logs and send them (with the same forwarding configuration) to Indexers.

In other words: you don't need a Forwarder on a Splunk Enterprise server because it already has this feature; you have to manage log ingestion on them as Forwarders, using TAs (better) or enabling local inputs (I don't like this!).

Ciao.

Giuseppe

Reply

Gregski11
Contributor
‎06-15-2022 02:34 PM
@gcusello wrote:

Hi @Gregski11,

each Splunk Enterprise installation has the feature to forward logs, so as you can forwardr internal logs as I described in my previous answer.

At the same time you can install the same TAs (e.g. the Splunk_TA_Windows) to take all local logs and send them (with the same forwarding configuration) to Indexers.

In other words: you don't need a Forwarder on a Splunk Enterprise server because it already has this feature; you have to manage log ingestion on them as Forwarders, using TAs (better) or enabling local inputs (I don't like this!).

Ciao.

Giuseppe

Looks like the Splunk Add-on for Windows does not collect Event Logs:

The Splunk Add-on for Windows allows a Splunk software administrator to collect:

  • CPU, disk, I/O, memory, log, configuration, and user data with data inputs.
  • Active Directory and Domain Name Server debug logs from Windows hosts that act as domain controllers for a supported version of a Windows Server. You must configure Active Directory audit policy since Active Directory does not log certain events by default.
  • Domain Name Server debug logs from Windows hosts that run a Windows DNS Server. Windows DNS Server does not log certain events by default, and you must enable debug logging.


    https://docs.splunk.com/Documentation/AddOns/released/Windows/AbouttheSplunkAdd-onforWindows

 

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-15-2022 11:16 PM

Hi @Gregski11,

at first check for new versions of this TA,

but anyway, using the TA_Windows it's possible to take many other types of data starting from WinEventLog, check the inputs.conf file on each Splunk Server to see which inputs are enabled.

When you enable these inputs and you enabled forwarding, you'll have in Indexers all logs from all Splunk Servers.

Ciao.

Giuseppe

0 Karma
Reply

Gregski11
Contributor
‎06-15-2022 08:20 AM
@gcusello wrote:

Hi @Gregski11,

each Splunk Enterprise installation has the feature to forward logs, so as you can forwardr internal logs as I described in my previous answer.

At the same time you can install the same TAs (e.g. the Splunk_TA_Windows) to take all local logs and send them (with the same forwarding configuration) to Indexers.

In other words: you don't need a Forwarder on a Splunk Enterprise server because it already has this feature; you have to manage log ingestion on them as Forwarders, using TAs (better) or enabling local inputs (I don't like this!).

Ciao.

Giuseppe

thank you so much Giuseppe, it appears we do have the Splunk Add-on for Microsoft Windows version 7.0.0 already installed and enabled on our Search Heads (it's not made visible though, but I don't think that matters) I do not see it on our other Splunk servers but they have apps called SplunkForwarder and  SplunkLightForwarder I wonder what those apps do on those servers


Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...

Enterprise Security Content Update (ESCU) | New Releases

In October, the Splunk Threat Research Team had one release of new security content via the Enterprise ...