Splunk Search

How do I search the aggregated event logs of our Splunk servers?

Gregski11
Contributor

I recently learned that it is best practice to use the Monitoring Console to manage our Splunk servers instead of installing Universal Forwarders on them, how then do we run a search across all of our Splunk servers Event Logs to for instance see how long each one was up for?  I have the query and I can run it against all of our other servers that do have the Universal Forwarder installed on them and it works great, but when I query the wineventlog index it finds none of our Splunk servers in it

Labels (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Gregski11,

each Splunk Enterprise installation has the feature to forward logs, so as you can forwardr internal logs as I described in my previous answer.

At the same time you can install the same TAs (e.g. the Splunk_TA_Windows) to take all local logs and send them (with the same forwarding configuration) to Indexers.

In other words: you don't need a Forwarder on a Splunk Enterprise server because it already has this feature; you have to manage log ingestion on them as Forwarders, using TAs (better) or enabling local inputs (I don't like this!).

Ciao.

Giuseppe

Gregski11
Contributor

@gcusello wrote:

Hi @Gregski11,

each Splunk Enterprise installation has the feature to forward logs, so as you can forwardr internal logs as I described in my previous answer.

At the same time you can install the same TAs (e.g. the Splunk_TA_Windows) to take all local logs and send them (with the same forwarding configuration) to Indexers.

In other words: you don't need a Forwarder on a Splunk Enterprise server because it already has this feature; you have to manage log ingestion on them as Forwarders, using TAs (better) or enabling local inputs (I don't like this!).

Ciao.

Giuseppe


Looks like the Splunk Add-on for Windows does not collect Event Logs:

The Splunk Add-on for Windows allows a Splunk software administrator to collect:

  • CPU, disk, I/O, memory, log, configuration, and user data with data inputs.
  • Active Directory and Domain Name Server debug logs from Windows hosts that act as domain controllers for a supported version of a Windows Server. You must configure Active Directory audit policy since Active Directory does not log certain events by default.
  • Domain Name Server debug logs from Windows hosts that run a Windows DNS Server. Windows DNS Server does not log certain events by default, and you must enable debug logging.


    https://docs.splunk.com/Documentation/AddOns/released/Windows/AbouttheSplunkAdd-onforWindows

 

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Gregski11,

at first check for new versions of this TA,

but anyway, using the TA_Windows it's possible to take many other types of data starting from WinEventLog, check the inputs.conf file on each Splunk Server to see which inputs are enabled.

When you enable these inputs and you enabled forwarding, you'll have in Indexers all logs from all Splunk Servers.

Ciao.

Giuseppe

0 Karma

Gregski11
Contributor

@gcusello wrote:

Hi @Gregski11,

each Splunk Enterprise installation has the feature to forward logs, so as you can forwardr internal logs as I described in my previous answer.

At the same time you can install the same TAs (e.g. the Splunk_TA_Windows) to take all local logs and send them (with the same forwarding configuration) to Indexers.

In other words: you don't need a Forwarder on a Splunk Enterprise server because it already has this feature; you have to manage log ingestion on them as Forwarders, using TAs (better) or enabling local inputs (I don't like this!).

Ciao.

Giuseppe


thank you so much Giuseppe, it appears we do have the Splunk Add-on for Microsoft Windows version 7.0.0 already installed and enabled on our Search Heads (it's not made visible though, but I don't think that matters) I do not see it on our other Splunk servers but they have apps called SplunkForwarder and  SplunkLightForwarder I wonder what those apps do on those servers


Tags (1)
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...