Hi
I configured Universal forwarder to push the windows event logs ( adfs logs ) to main splunk server.
Can anyone help me how to configure the application and indexer.
Thanks in advance
A little more information would be helpful .... what app, what index, what specifically do you need help with? You might want to take a look at the Splunk App for Active Directory (http://splunk-base.splunk.com/apps/51338/splunk-app-for-active-directory) as it will do most of the configuration for you.
No, it is not.
see http://splunk-base.splunk.com/answers/39231/filtering-with-a-uf-before-indexing for answers to your above question
So, Is it possible to do the filtering at client side ( in Universal forwarder ) ?
Just to be clear these modifications to props.conf and transforms.conf will go on the indexer, not the forwarder.
I specified like this
[WinEventLog:Security]
disabled = 0
index = myIndex
All the security logs start moving to the specified index.
Now the problem is... I want to filter the security logs before pushing to the server. Like I want to push only the logs having SourceName=AD FS 2.0 Auditing
ADFS will write the logs into windows event log. I configured the unversal forwarder to collect log from the windows event log. For installation I used the windows msi setup.
It sounds like you were already configured the forwarder to push ADFS logs (which means you configured an inputs.conf file to monitor a directory). In that inputs.conf add index=myIndex and you should be good. there can be multiple inputs.conf files on a forwarder, so you could have configured it in a number of places.
which location ? which file, Is it inputs.conf ?
To specify the index you want an input to go to just add:
index=myIndex
to the monitor stanza in your inputs.conf (on the forwarder).
I don't believe Splunk for AD supports ADFS logs specifically.
Wev are looking for the ADFS monitoring. Splunk App for Active Directory supports ADFS ?
I want to move all logs to specific index ( say myIndex ) rather than going to main index
Do you want any more details ?
In splunk web we can add new application ( say myApp ) right. And I created new index as well ( called myIndex). And the in our application server I installed unversal forwarder and configured to push adfs logs. Logs are moving to main index.
Platform : windows