Splunk Search

How do I search the aggregated event logs of our Splunk servers?

Gregski11
Contributor

I recently learned that it is best practice to use the Monitoring Console to manage our Splunk servers instead of installing Universal Forwarders on them, how then do we run a search across all of our Splunk servers Event Logs to for instance see how long each one was up for?  I have the query and I can run it against all of our other servers that do have the Universal Forwarder installed on them and it works great, but when I query the wineventlog index it finds none of our Splunk servers in it

Labels (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Gregski11,

each Splunk Enterprise installation has the feature to forward logs, so as you can forwardr internal logs as I described in my previous answer.

At the same time you can install the same TAs (e.g. the Splunk_TA_Windows) to take all local logs and send them (with the same forwarding configuration) to Indexers.

In other words: you don't need a Forwarder on a Splunk Enterprise server because it already has this feature; you have to manage log ingestion on them as Forwarders, using TAs (better) or enabling local inputs (I don't like this!).

Ciao.

Giuseppe

Gregski11
Contributor

@gcusello wrote:

Hi @Gregski11,

each Splunk Enterprise installation has the feature to forward logs, so as you can forwardr internal logs as I described in my previous answer.

At the same time you can install the same TAs (e.g. the Splunk_TA_Windows) to take all local logs and send them (with the same forwarding configuration) to Indexers.

In other words: you don't need a Forwarder on a Splunk Enterprise server because it already has this feature; you have to manage log ingestion on them as Forwarders, using TAs (better) or enabling local inputs (I don't like this!).

Ciao.

Giuseppe


Looks like the Splunk Add-on for Windows does not collect Event Logs:

The Splunk Add-on for Windows allows a Splunk software administrator to collect:

  • CPU, disk, I/O, memory, log, configuration, and user data with data inputs.
  • Active Directory and Domain Name Server debug logs from Windows hosts that act as domain controllers for a supported version of a Windows Server. You must configure Active Directory audit policy since Active Directory does not log certain events by default.
  • Domain Name Server debug logs from Windows hosts that run a Windows DNS Server. Windows DNS Server does not log certain events by default, and you must enable debug logging.


    https://docs.splunk.com/Documentation/AddOns/released/Windows/AbouttheSplunkAdd-onforWindows

 

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Gregski11,

at first check for new versions of this TA,

but anyway, using the TA_Windows it's possible to take many other types of data starting from WinEventLog, check the inputs.conf file on each Splunk Server to see which inputs are enabled.

When you enable these inputs and you enabled forwarding, you'll have in Indexers all logs from all Splunk Servers.

Ciao.

Giuseppe

0 Karma

Gregski11
Contributor

@gcusello wrote:

Hi @Gregski11,

each Splunk Enterprise installation has the feature to forward logs, so as you can forwardr internal logs as I described in my previous answer.

At the same time you can install the same TAs (e.g. the Splunk_TA_Windows) to take all local logs and send them (with the same forwarding configuration) to Indexers.

In other words: you don't need a Forwarder on a Splunk Enterprise server because it already has this feature; you have to manage log ingestion on them as Forwarders, using TAs (better) or enabling local inputs (I don't like this!).

Ciao.

Giuseppe


thank you so much Giuseppe, it appears we do have the Splunk Add-on for Microsoft Windows version 7.0.0 already installed and enabled on our Search Heads (it's not made visible though, but I don't think that matters) I do not see it on our other Splunk servers but they have apps called SplunkForwarder and  SplunkLightForwarder I wonder what those apps do on those servers


Tags (1)
0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...