- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Filtering Windows logs at Source with Universa...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Filtering Windows logs at Source with Universal Forwarder
Hi Splunk Gurus
We have problem with Splunk on Windows. Windows sends way to many events and logs to splunk indexer, which makes us hit our daily quota of license. What we want to do is to send only certain events/logs from Windows server to indexer. This we achieved by using Windows heavy Forwarder, but Security team objects to open Web on the server. The question is: -
1) What are the drawbacks of running web server (web splunk GUI) on all the servers)?
2) Can I disable splunk Web GUI and can still achieve filtering?
3) How much extra load will Web interface puts on the Server?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1) There is a slightly larger overhead, of course, and the fact that there is a server listening on incoming http-requests. There have been a few vulnerabilities in previous versions of SplunkWeb.
2) Yes
3) Not too much, unless you actually use the heavy forwarder as a SearchHead towards the indexer(s). Then it will consume large amounts of memory an CPU. This can also happen if the forwarder is monitoring a very large amount of files (hundreds or thousands), regardless of whether the web interface is enabled or not.
Suggestion, disable the web GUI and use Deployment Server for all configuration.
hope this helps,
Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1) The obvious drawback is that an additional network port is exposed on the server running the heavy forwarder. While no known public exploits are available for unauthenticated connections to splunkweb, you never know when/if that could change.
2) Yes. "$SPLUNK_HOME/bin/splunk disable webserver" should do the trick.
3) I don't have numbers for this, but I can't imagine it uses any resources to talk about when in idle mode. It just sits there and waits.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1) the draw backs (from the security side) are that you have a web server on the machine. The other draw back is it could conflict with other applications. While Splunk does do an open port check when it loads, it still could cause a problem. I think for most security people it is the fear of the web server being compromised or unmanaged.
2) Both the light forwarder and the universal forwarder do not do any parsing of the data. They leave that up to the indexer. But with that said, in your Manager, go to Forwarding and receiving, and then configure your forwarder, and then go to Enable light forwarding. After you enable the forwarding, you will have to restart Splunk from the command line. For Windows: "c:\program files\splunk\bin\splunk.exe" restart For Linux: /opt/splunk/bin/splunk restart
3) That will depend on how much data the server will be parsing.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
