I am installing Splunk universal forwarder on Windows machines as an agent to forward my data to the indexer. It appears to create its own app folder (MSICreated) if you specify some install-time switches that indicate you want to monitor some basic things like event logs and perfmon. In addition to that there is an inputs.conf in \etc\apps\SplunkUniversalForwarder\local, one in \etc\apps\SplunkUniversalForwarder\default, and one more at \etc\system\local\inputs.conf, all of which have similarly configured entries for Event Logs. I'm all for the belt and suspenders approach, but it's confusing to find the same entries all over hell's half acre. If I want to disable one or add another, the only way to be sure I'm getting what I want is to edit all those files. After all, one of them might override the others. It's my understanding that entries in local override entries in default, for example. What really concerns me is that I'm not sure whether having entries in four places causes four times the workload for the same event log. Does it? What is best practice here?
Second question. It appears that SplunkUniversalForwarder and the local inputs.conf have the means to gather all the information I'm interested in already. So, do I still need something like Splunk for Windows TA? What does that addon get me that I don't already have for Splunking windows hosts with agent/forwarders? Do I just need it on the Indexer/Searcher in order to parse things successfully or what?
Thanks in advance for any responses.
... View more