Can anybody tell me while installing forwarders we get an option of which data to be forwarded to Splunk Server(splunk indexer), for e.g:- we get checkboxes for Application log, System log, Security log, setup log, forwarded events log, etc. In the same way is there any way where i can specify a specific log to be forwarded to splunk server, rather then selecting these options, because if we select even a Application Log option then it forwards all the application logs to server, even which is not required to be forwarded. Please provide me a help if anyone knows about these, its urgent.
Currently there is not a way of selecting a specific log during install. I would recommend using the Deployment Server or something similar like Puppet. Though you could perform a scripted unattended installation and added the entries via script, but I would recommend using the Deployment Server. If you are installing Forwarders on Windows I have a previous post containing a PowerShell Scripted install.
#unattended installation of windows fowarder with event logs
#below is an unattended slient install with Windows Application, System, Security logging
#these options only exist for windows installations
msiexec.exe /i splunkuniversalforwarder_xxx.msi RECEIVING_INDEXER="myindexer:9997" WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 WINEVENTLOG_APP_ENABLE=1 AGREETOLICENSE=Yes /quiet
Additional Reading:
Universal MSI CLI installation
Wheretofindtheconfigurationfiles
powershell-unattended-installation
Hope this helps or gets you started.
@surajmishra, I've updated my post to include an example cli installation using msiexec.exe. I do something similar, but I only configure my deployment server. In larger deployment use the Deployment Server.
Hey bmacias84 ,
Thanks for ur rply, but could you tell me, isnt there is any way either by using configuration files or something, where i can atleast specify that the saved logs from event viewer to be forwarded to splunk server.