Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Not clear about heavy forwarder

mindterrian
New Member
‎01-23-2019 04:51 AM

Hi

Now i want to specific winevent log and use Universal Forwader to send log to Splunk Enterprise such as security event which have task category = File Share.
I see suggestion to install heavy forwarder and don't understand about heavy forwarder. (https://docs.splunk.com/Documentation/Splunk/7.2.3/Forwarding/Deployaheavyforwarder)

It's mean install software of Splunk Enterprise on Windows Server that i want to collect log and Configure forwarding to send log to main Splunk Enterprise?

Thank you

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎01-23-2019 05:12 AM

To answer your question directly.

No.
The simplest way to collect log data from windows systems is to install a universal forwarder on each of the windows servers/workstations you want to collect from. (Yes there are other ways, but a UF is far simpler)
You then need to configure the UF to collect the logs you are interested in.
If you need to filter 'out' some of the uninteresting events, there is a basic filtering system using black/white lists which you can employ to do this. In this case you would not need a heavy forwarder.

If you have specific (complicated) filtering requirements, you may consider installing an additional heavy forwarder, which your UF will send its logs to first, before the HF sends the data to your indexers.
This approach gives you a lot more control over the filtering and routing of events, however in most use cases, this is unnecessary, but unless you have specific (filtering/pre-processing/network) requirements, is not necessary.

If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎01-23-2019 05:12 AM

To answer your question directly.

No.
The simplest way to collect log data from windows systems is to install a universal forwarder on each of the windows servers/workstations you want to collect from. (Yes there are other ways, but a UF is far simpler)
You then need to configure the UF to collect the logs you are interested in.
If you need to filter 'out' some of the uninteresting events, there is a basic filtering system using black/white lists which you can employ to do this. In this case you would not need a heavy forwarder.

If you have specific (complicated) filtering requirements, you may consider installing an additional heavy forwarder, which your UF will send its logs to first, before the HF sends the data to your indexers.
This approach gives you a lot more control over the filtering and routing of events, however in most use cases, this is unnecessary, but unless you have specific (filtering/pre-processing/network) requirements, is not necessary.

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

mindterrian
New Member
‎01-23-2019 05:16 AM

Hi

Ok then how to using black/white lists for specific security event which have task category = File Share.

Thank you

0 Karma
Reply
Solved! Jump to solution

nickhills
Ultra Champion
‎01-23-2019 05:42 AM

If you want to exclude certain events you can use something like:

[WinEventLog://Security]
blacklist1 = TaskCategory="^Kernel"
blacklist2 = EventCode="4663" Message="NT AUTHORITY\\SYSTEM"
blacklist3 = 4634,4656,4658,4662,4673,4674
blacklist4 = EventCode="4688" Message="conhost"

See: https://docs.splunk.com/Documentation/Splunk/7.2.3/admin/inputsconf#Event_Log_whitelist_and_blacklis...

If you only want "File Share" events try instead a single whiteliste statement like

whitelist1 = "File Share"
If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

mindterrian
New Member
‎01-23-2019 07:06 AM

I should edit file on path \SplunkUniversalForwarder\etc\system\default ?

0 Karma
Reply
Solved! Jump to solution

mindterrian
New Member
‎01-23-2019 07:29 AM

Thank you nickhillscpl

I'm test edit file input.conf on path \SplunkUniversalForwarder\etc\system\default by Notepad++ and it's work!!!

----------This is edit test----------

[WinEventLog://Security]
blacklist1 = TaskCategory="Logon"

0 Karma
Reply
Solved! Jump to solution

nickhills
Ultra Champion
‎01-23-2019 08:07 AM

You shouldn't edit ./default - you should make changes in ./local

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

dkeck
Influencer
‎01-23-2019 04:57 AM

HI,

please see this doc, this is all you need 🙂

https://docs.splunk.com/Documentation/Splunk/7.2.3/Forwarding/Deployaheavyforwarder

0 Karma
Reply
Solved! Jump to solution

mindterrian
New Member
‎01-23-2019 07:09 AM

Yes i read that document and not clear.
Heavy Forwarder mean Splunk Enterprise that create for collect log only?

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...