Solved: Can we collect Windows event logs with the Splunk ...

mghocke · ‎10-20-2016

Hi everybody,

Is it possible to use the Splunk Add-On for Microsoft Windows when the indexers and search heads are all running on Linux? We have a group of people who want to collect Windows logs and throw them into Splunk, but they are also asking if we can install the Windows add-on. I guess my first questions would be, do we need to install anything on the search heads and indexers to support the functionality offered by this add-on? Or would it be sufficient to install a universal forwarder on a Windows host and put the add-on there?

Any input on how to approach this would be great!

Thanks!

--- Michael

jconger · ‎10-20-2016

There is no problem having a Windows host forward data to a Linux indexer. The Splunk Add-on for Microsoft Windows just collects data (perfmon, Windows event logs, scripted output, etc.) from Windows hosts. The Splunk App for Windows Infrastructure visualizes the data that is sent by the add-on (meaning the app does not collect data). Therefore, the Splunk App for Windows Infrastructure can be installed on Linux indexers and Search Heads as the app is platform independent.

View solution in original post

jconger · ‎10-20-2016

There is no problem having a Windows host forward data to a Linux indexer. The Splunk Add-on for Microsoft Windows just collects data (perfmon, Windows event logs, scripted output, etc.) from Windows hosts. The Splunk App for Windows Infrastructure visualizes the data that is sent by the add-on (meaning the app does not collect data). Therefore, the Splunk App for Windows Infrastructure can be installed on Linux indexers and Search Heads as the app is platform independent.

Can we collect Windows event logs with the Splunk Add-on for Microsoft Windows, and forward that data to Linux indexers?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life