Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Configuring a light forwarder to monitor the Windows event log

dbutch1976
Explorer
‎03-08-2011 03:02 PM

Hello,

The script I'm using to install the light forwarder is below:

msiexec.exe /i Splunk.msi SPLUNK_APP="SplunkLightForwarder" FORWARD_SERVER="indexer.mycompany.com:9997" RBG_LOGON_INFO_USER_CONTEXT=2 IS_NET_API_LOGON_USERNAME="DOMAIN\svc-splunkforwarder" IS_NET_API_LOGON_PASSWORD="########" WINEVENTLOGAPPCHECK=0 WINEVENTLOGSECCHECK=1 WINEVENTLOGSYSCHECK=1 WINEVENTLOGFWDCHECK=1 WINEVENTLOGSETCHECK=1 /quiet

My question is, how can I modify this command line so that it only logs certain things? I don't want to roll this out across my enterprise and the be bombarded by logs because it's capturing too much. For example, can I log errors only?

Also,

If I find a configuration I like how will I modify this configuration for all clients that have splunk installed across the enterprise?

Tags (1)
0 Karma
Reply

dbutch1976
Explorer
‎03-10-2011 03:19 PM

Thanks for the reply. I'll take a look at deployment services. I guess my real question is, since Splunk just monitors certain log files for changes and then forwards the changes to a central store (that's my understanding) is it even possible to modify the forwarder so that it only forwards errors?

0 Karma
Reply

JSapienza
Contributor
‎03-08-2011 05:35 PM

I'm no expert but I think you need to take a look at using Deployment Server

This is what I use to control who gets which app and the specific inputs . Its a great feature.

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...