Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Collect Windows/Linux logon events

gabrielsz
Explorer
‎04-26-2022 01:00 AM

Hi,

I have some newbie questions. We need to collect Windows/Linux logon events and send them to another system using a forwarder.

1. For Windows, we understand that the options for collecting events logs are: (i) Install a forwarder on each Windows machine (ii) Collect the logs remotely over WinRM using a heavy forwarder. Is this correct or are we missing some options? What is the most common way? In case a forwarder is installed on each machine, each one will send the data to the indexer or is it common to use a central forwarder and send to the indexer from there?

2. Are the options similar in Linux? What the common way?

3. The other system will need to correlate the events with a list of machines it gets from somewhere else, where the machines might appear the IP address or the hostname, and it has no way to perform DNS lookups. Is it possible to configure Splunk to forward both IP and hostname/FQDN as part of the event?

Thanks, Gabriel

Labels (2)
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...