Security

Configuring a light forwarder to monitor the Windows event log

dbutch1976
Explorer

Hello,

The script I'm using to install the light forwarder is below:

msiexec.exe /i Splunk.msi SPLUNK_APP="SplunkLightForwarder" FORWARD_SERVER="indexer.mycompany.com:9997" RBG_LOGON_INFO_USER_CONTEXT=2 IS_NET_API_LOGON_USERNAME="DOMAIN\svc-splunkforwarder" IS_NET_API_LOGON_PASSWORD="########" WINEVENTLOGAPPCHECK=0 WINEVENTLOGSECCHECK=1 WINEVENTLOGSYSCHECK=1 WINEVENTLOGFWDCHECK=1 WINEVENTLOGSETCHECK=1 /quiet

My question is, how can I modify this command line so that it only logs certain things? I don't want to roll this out across my enterprise and the be bombarded by logs because it's capturing too much. For example, can I log errors only?

Also,

If I find a configuration I like how will I modify this configuration for all clients that have splunk installed across the enterprise?

Tags (1)
0 Karma

dbutch1976
Explorer

Thanks for the reply. I'll take a look at deployment services. I guess my real question is, since Splunk just monitors certain log files for changes and then forwards the changes to a central store (that's my understanding) is it even possible to modify the forwarder so that it only forwards errors?

0 Karma

JSapienza
Contributor

I'm no expert but I think you need to take a look at using Deployment Server

This is what I use to control who gets which app and the specific inputs . Its a great feature.

0 Karma
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...