Windows NT to forward logs to Splunk Enterprise, h...

Kitteh · ‎11-23-2017

I've been tasked to forward logs from Windows NT to Splunk Enterprise however, there is no Syslog inbuilt for Windows and also no Splunk Universal Forwarder.

Any idea how I should approach to this for corporate use?

nickhills · ‎11-23-2017

Todays "Splunking against the odds" award goes to @Kitteh
I'm sure there is a reason, and that its beyond your control but NT was EOL 13 years ago!
I salute your determination! 🙂

If my comment helps, please give it a thumbs up!

gcusello · ‎11-23-2017

Hi Kitteh,
try using an old verion of Universal Forwarder, e.g. 5.18 and check if you correctly receive logs.

three years ago, I had to install UF on an XP machine and I used version 4.3.7 with a special configuration:
SPLUNK_HOME/etc/system/local/inputs.conf

[script://$SPLUNK_HOME/bin/scripts/splunk-regmon.path
disabled = 1
[script://$SPLUNK_HOME/bin/scripts/splunk-wmi.path
disabled = 1
[script://$SPLUNK_HOME/bin/scripts/splunk-admon.path
disabled = 1

The safer way to proceed is to open a case to Splunk Support

Did you tried to use WMI?

Bye.
Giuseppe

Windows NT to forward logs to Splunk Enterprise, how?

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...