Getting Data In

Configure index and application in Universal forwarder

skomath
New Member

Hi

I configured Universal forwarder to push the windows event logs ( adfs logs ) to main splunk server.

Can anyone help me how to configure the application and indexer.

Thanks in advance

Tags (1)
0 Karma

jstockamp
Communicator

A little more information would be helpful .... what app, what index, what specifically do you need help with? You might want to take a look at the Splunk App for Active Directory (http://splunk-base.splunk.com/apps/51338/splunk-app-for-active-directory) as it will do most of the configuration for you.

0 Karma

Ayn
Legend

No, it is not.

0 Karma

aholzer
Motivator
0 Karma

skomath
New Member

So, Is it possible to do the filtering at client side ( in Universal forwarder ) ?

0 Karma

jstockamp
Communicator

Just to be clear these modifications to props.conf and transforms.conf will go on the indexer, not the forwarder.

0 Karma

skomath
New Member

I specified like this

[WinEventLog:Security]
disabled = 0
index = myIndex
All the security logs start moving to the specified index.

Now the problem is... I want to filter the security logs before pushing to the server. Like I want to push only the logs having SourceName=AD FS 2.0 Auditing

0 Karma

skomath
New Member

ADFS will write the logs into windows event log. I configured the unversal forwarder to collect log from the windows event log. For installation I used the windows msi setup.

0 Karma

jstockamp
Communicator

It sounds like you were already configured the forwarder to push ADFS logs (which means you configured an inputs.conf file to monitor a directory). In that inputs.conf add index=myIndex and you should be good. there can be multiple inputs.conf files on a forwarder, so you could have configured it in a number of places.

0 Karma

skomath
New Member

which location ? which file, Is it inputs.conf ?

0 Karma

jstockamp
Communicator

To specify the index you want an input to go to just add:

index=myIndex

to the monitor stanza in your inputs.conf (on the forwarder).

I don't believe Splunk for AD supports ADFS logs specifically.

0 Karma

skomath
New Member

Wev are looking for the ADFS monitoring. Splunk App for Active Directory supports ADFS ?

0 Karma

skomath
New Member

I want to move all logs to specific index ( say myIndex ) rather than going to main index

0 Karma

skomath
New Member

Do you want any more details ?

0 Karma

skomath
New Member

In splunk web we can add new application ( say myApp ) right. And I created new index as well ( called myIndex). And the in our application server I installed unversal forwarder and configured to push adfs logs. Logs are moving to main index.

0 Karma

skomath
New Member

Platform : windows

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...