All Apps and Add-ons

How to monitor Windows event logs from shared log collector server?

ryanhast
Explorer

I have a Kiwi log collector that Windows event logs are being collected on. The logs are first collected on a remote Kiwi log collector then forwarded to my Kiwi log collector. I know that the best way of getting windows event logs into Splunk is to install the universal forwarder on each windows host, but that is not an option for me.

The goal is to use the TA_Windows app to read the remote Windows event logs that are collected on the Kiwi log collector server and forward the data parsed into Splunk to a index. Any ideas?

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

Any reason you cannot use the Microsoft Windows Event Collector on a separate server instead of using Kiwi?
If you do, you can install the Splunk UF there and make your life a whole lot easier.

This may be helpful information.

0 Karma

ryanhast
Explorer

On my kiwi log collector I do have a Splunk UF installed. How can I configure the TA_Windows App to read the collected windows event log? Is there a way?

0 Karma

arorajagmeet
Explorer

@ssievert: The link of blog is not accessible anymore.
Original Link: http://blogs.splunk.com/2014/02/03/forwarding-windows-event-logs-to-another-host/

I am able to reach to following page which lists the blog summary but fails to open the blog itself:
Blog Summary Page: http://blogs.splunk.com/tag/microsoft/page/4/

If you can still access it, could you please provide the information in the blog. Thanks

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

This blog post was removed because it was determined to be misleading. The biggest issue with forwarded Windows events was that Splunk's TA for Windows did not properly support logs processed in this way with Splunk's primary content apps (ES, ITSI, Windows Infrastructure, etc.).
For that reason, I am unfortunately not able to provide you with the content.

I have initiated removal of the summary page content as well, thank you for pointing that out.

The best practice to acquire Windows event logs is still to install our Universal Forwarder on the source systems.

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

The Windows_TA relies on the executables shipped with the Windows forwarder to read perfmon and event log data using standard MS APIs.
What format does the Kiwi log collector store the event log data in?

0 Karma

ryanhast
Explorer

It breaks the log into a .log format with each event per line.
Again their is a Splunk UF on the kiwi log collecting server.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...