Is it possible to forward collected logs from a Windows Event Collector (WEC) server, i.e. from the Windows service that remotely collects logs from other windows servers, such that the logs are compatible with "Splunk App for Windows Infrastructure" ?
I imagaine that at a minimum this would require "transforming" the default fields of host, source, sourcetype to meaningful values rather than the values that WEC uses. Would this then allow the events to be processed by the "Splunk Add-On for Windows" ?
I know that the recommended method is to use a Universal Forwarder on all servers, or alternatively WMI, but as WEC has been around for a long time I am surprised there is no mention of it here ...
http://docs.splunk.com/Documentation/Splunk/6.6.0/Data/AboutWindowsdataandSplunk
Any information about anybody's experiences is much appreciated.
... View more