I am trying to understand how to set up Splunk for the first time. I have several Server VMs (exchange, DC, SCCM, Splunk) and about 70 workstations.
I want to use Splunk to audit my workstations' event logs. This is a high level overview on how I understand that to occur:
Install Splunk Enterprise on my Splunk Server (set up permissions as a domain user, etc)
Configure Splunk Server as a Receiver
Install a Universal Forwarder on every workstation and all of the other servers.
Configure each Universal Forwarder- define inputs on the universal forwarder with configuration files
Am I understanding this correctly?
... View more