Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is best practice ? Windows Event Collector or Splunk UF on each workstation?

itrimble1
Path Finder
‎06-07-2019 01:28 PM

We seem to be dropping events?

We are currently using Windows Event collectors on our Servers and Workstations and are missing events.

I found this link: Windows Event Forwarding and they say to use the UF ?

Has anyone else had problems using Windows Event Forwarding?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

itrimble1
Path Finder
‎10-08-2019 09:13 AM

We were able to leverage our Windows Event Collectors. We added this to the TA-Windows inputs.conf settings.
[WinEventLog://Forwarded Events]
suppress_checkpoint = true
suppress_sourcename=true
suppress_keywords=true
suppress_type=true
suppress_task=true
suppress_opcode=true
suppress_text=true
use_threads=7

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

itrimble1
Path Finder
‎10-08-2019 09:13 AM

We were able to leverage our Windows Event Collectors. We added this to the TA-Windows inputs.conf settings.
[WinEventLog://Forwarded Events]
suppress_checkpoint = true
suppress_sourcename=true
suppress_keywords=true
suppress_type=true
suppress_task=true
suppress_opcode=true
suppress_text=true
use_threads=7

0 Karma
Reply
Solved! Jump to solution

mmccul
SplunkTrust
SplunkTrust
‎06-07-2019 02:16 PM

I typically recommend the UF on Windows servers. It makes monitoring for problems much easier, such as systems that have stopped sending any data.

As for workstations, that may be a bit stickier, but if your number of workstations is small, a UF is hardly outrageous compared to many other agents I've seen on workstations. The major question to ask yourself is what happens when that workstation (which includes laptops presumably) goes home and then is brought online?

0 Karma
Reply
Solved! Jump to solution

itrimble1
Path Finder
‎06-10-2019 06:28 AM

As far as workstations,we have around 4,000. Mixture of physical, persistent and non-persistent vdi.

0 Karma
Reply
Solved! Jump to solution

mmccul
SplunkTrust
SplunkTrust
‎06-10-2019 07:59 AM

With a moderate number of workstations like that, the downside of a forwarder is you know when they stop reporting in. The upside is you know when they stop reporting in. VDI are typically considered more transitory, less permanent, so a forwarder does make less sense. You may need to consider a different solution for each technology type.

Some have had luck with a syslog daemon on Windows to forward log events.

There really is not a single best answer in my view. Each technology has advantages. Forwarders are easier to monitor, harder to deal with systems that are expected to come up and down regularly, but also deal surprisingly well with network disconnects. Event forwarders are simple, but as you've seen, not well known for reliability. Some use syslog or other protocols to introduce more answers.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...