Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Windows event collector and universal forwarder

Cccvvveee0235
Observer
2 weeks ago

Hello Everyone, please help me with fetching events from Windows event collector. I installed universal Forwarder on windows server 2022, where all events from computers keep in this server. I am trying to fetch all forwarded events from this windows server 2022 to my splunk indexer by splunk agent, but agent sends the events sometimes, not in real time. Can't see some errors in splunkforwarder events or in splunk indexer. Also I used Splunk_TA_Windows to fetch events.

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
2 weeks ago

As @gcusello already pointed out, the Universal Forwarder by default has a limit on data throughput so if you have too many events coming in, the UF might not keep up with sending them out sufficiently quickly (the same can happen if your network bandwidth is too low).

First question though is where the latency appears - look into Forwarded Events log on your WEC machine and verify if those events you see are current or delayed - that's first hint where to troubleshoot it.

There are also two different modes of how WEF operates - in push mode the source machines send the events to the WEC machine but in the pull mode the WEC machine actively pulls the events from the source machines with given schedule (I'm not sure if push mode is continuous only or does it work with scheduled periods as well). That's something you should discuss with your Windows admins. (I suppose there can be also different factors possibly causing WEF delays).

Another thing that shows when you exceed given performance level is that WinEventLog sources seem to get capped at some point and you can't go over some performance level using single input (even though the machine itself is perfectly capable of handling additional load). In such case the solution is to create additional EventLog channels beside the "normal" Forwarded Events and split the events from subscriptions into multiple channels (and of course ingest them with UF from those channels). But that's a relatively advanced topic (on the Windows side).

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
2 weeks ago

Hi @Cccvvveee0235 ,

UFs send logs to Indexers in near real time, not in real time: events are grouped and sent in packets with a configurable frequency that depends on the availability of your network bandwidth.

There's a configurable limit (256 KB) to the dimension of packets that you can enlarge to unlimited adding maxKBps = 0 to your outputs.conf in the UF.

The update frequency is 30 seconds, but you can modify, even if I'd prefer to avoid this, also because, when the UF is connected send all logs and you don't loose any data.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...