Videos

  • Add Videos
  • View All

Latest Activity

Profile Icon
Greg Vallenari is now a member of splunkninja Sunday
Welcome Them!
Profile Icon
Mike Hartford commented on Michael Wilde's video
Got it thanks
Thumbnail

Splunk Ninja - Basic Training: Splunk & LDAP Authentication

Feb 8
Profile Icon
Michael Wilde commented on Michael Wilde's video
Sure...  When you do group mapping, map them to groups that don't have the domain admins in them.  I have a separate OU=Groups that has "Splunk Users, Splunk Admins, Splunk Power Users" as group names, and specific users…
Thumbnail

Splunk Ninja - Basic Training: Splunk & LDAP Authentication

Feb 8
Profile Icon
Mike Hartford commented on Michael Wilde's video
I want to give LDAP access to my splunk servcie but I don't want the LDAP users to have admin capabilitys in Splunk.  Can I keep the domain admins out of Splunk if I have LDAP authentication???
Thumbnail

Splunk Ninja - Basic Training: Splunk & LDAP Authentication

Feb 7
Profile Icon
Mike Hartford left a comment for Jonathan Hawes
Helow Jonathan,   Glad to have another Splunker.  I've been useing Splunk for 2 years and am hooked.  I leared how to spell splunk and | transaction too.  you'll learn that one soon.   Go over to Splunk…
Feb 7
Profile Icon
Mike Hartford commented on Mike Hartford's blog post 'tees for the holy day'
  Holy Batskins Ninja, zzzzzwap zgruppp kapow a hidden stash, how great is that!!!!   The team that found them must have special bat senses and highly tooned Splunking skills   I like to wear Extra Lovable…
Feb 7
Profile Icon
Learning, learning, learning . . . Our Splunk "expert" is gone, and the non-programmer gets to learn the task! How do you spell SPLUNK?
Status posted by Jonathan Hawes Feb 7
0 Comments
Profile Icon
Jonathan Hawes is now a member of splunkninja Feb 7
Welcome Them!
yanu pratomo

take log windows to splunk without forwarder

hi all,

i install splunk server in the linux server, and i want to take windows server log to my splunk server, is possible to take the log without install splunk agent/forwarder in the windows server

thanks

Views: 412

Reply to This

Replies to This Discussion

Atul MistryPermalink Reply by Atul Mistry on January 29, 2010 at 6:43am
If you can place the log on a network drive that is accessible by the splunk server you should be able to eat the log without the forwarder.
Andi SusantoPermalink Reply by Andi Susanto on January 31, 2010 at 7:59pm
Hi "Atul Mistry",

I have try help Yanu to solved this problem by mapped to the Windows event log directory at C:\WINDOWS\system32\config and try to place the AppEvent.evt , DNSEvent.evt, SecEvent.evt, SysEvent.evt ;

We install samba in our linux splunk server for this mapping, and the mapping is 100% works. Then in "Manager-Data inputs-Files&Directory" in Splunk, we chose add New , and get the map directory (for example at /opt/splunk/winlog ; this directory refer to C:\Windows\system32\config )
I added in the colom " /opt/splunk/winlog/AppEvent.evt " , name the sourcetype, and save.
Splunk looks can accept this! and place it in the list Files & Directory.

But it seems that splunk can't translate the evt format and never index the log.

would u and the other ninjas in this forum give us suggestion for this problem?
It also strange that splunk installer for linux/unix didn't have several links as like as windows version. U will never find "WMI collection, Eventlogs Collection, Registry Monitoring" on linux version.
Atul MistryPermalink Reply by Atul Mistry on February 1, 2010 at 4:27am
If you install the "Windows" app (http://www.splunk.com/apps/windows) on the linux server, you will see the windows specific sources and sourcetypes.

once you do that, splunk may be able to eat the *.evt files properly.

also, you may want to set the sourcetype to "Automatic"

is there a reason why you do not want to use the Forwarder?
Andi SusantoPermalink Reply by Andi Susanto on February 3, 2010 at 6:27am
Hi,

I have Windows app on my linux server, and i think with or without that app install, it has no different, u still can't find way to get the .evt log in anyway.

I have tried many possible things to reach the data, but result nothing.

I found the only way, but quite complex, and you shouldn't suggest your customer this way. They may think that use Splunk just add their jobs. The only possible thing probably to build your own script or maybe an apps to convert .evt file to .csv or .log. If so, maybe you can show us the way.

I really suggest Splunk Dev to think about this, because we can't suggest customer to install Splunk on Linux/unix system just because the performance issue, or stability issue ( because of phyton language), but developers forget to think how disturbing it is if customers want to get event data on windows without installing splunk as forwarder (i said this as agent) in their win server.

Many big company with tight policy for this "agent" install procedure, may think twice to buy Splunk.
They have to make a very long debate each others in their department just to decide "can we install splunk agent in your 46 (yeah, in my case, forty six) windows server to transfer the event log to our "linux" Splunk server?". These all happen in my presents POC....and the reason why my client do not want use forwarder because they will never want to install splunk in 46 server and don't want to be blamed if one of their server down because of splunkd engine. I have clearly explain them, that with light forwarder system, the process will never disturb the running system and the process is so light that will never crash the system. But they still don't listen me... how sad.. :)

Atul, have u tried your method above? have you tried install Splunk on linux and grab the event data on your windows server without agent with your method? I still can't get the data with your method....
would you mind to guide me and Yanu step by step more clearly? We are so highly appreciate if you or other in this forum can give clear way to solve our problem.

Thanks.
Andi SusantoPermalink Reply by Andi Susanto on February 3, 2010 at 6:28am
funny thing on linux Splunk installation version
Attachments:
Alexander SzoenyiPermalink Reply by Alexander Szoenyi on February 3, 2010 at 6:55am
Hello,

1. You can export the evt and evtx, only to a Splunk with MS OS, because the evt and evtx are binarys and only on Windows you can transform this.

2. For WMI you need a Splunk Indexer with MS OS or a Splunk FW on MS OS, WMI works only on MS OS.

3. ADMON.EXE for index your AD, is only working on MS OS.

Please vistit the Splunk Documentation for that, http://www.splunk.com/base/Documentation

regards Alexander
Andi SusantoPermalink Reply by Andi Susanto on February 3, 2010 at 7:31am
ok, thanks for your information.

I have realize that, long before this thread posted; since evt or evtx are Microsoft proprietary stuff.

So, u have suggest to use forwarder or force our client to change to windows for the splunk server.
Maybe It's better for me to cancel the POC demo and re-arrange with other scenario next time.

Any other "no forwarder" suggest please? thx...
Alexander SzoenyiPermalink Reply by Alexander Szoenyi on February 3, 2010 at 7:39am
Hello,

For your POC, install a Splunk FW on a MS OS System and configure evt/evtx, WMI and ADMON.EXE.
you need for this max. 1 hour.

Install on the Splunk Indexer the Windows APP.

With this little tasks your POC is working ;-)))

regards Alexander
Andi SusantoPermalink Reply by Andi Susanto on February 3, 2010 at 6:21pm
I really love Splunk slogan in APAC with Singaporean English : "Can can, cannot also can lah..."

Please correct me; U have suggest us to provide (at least) one MS OS client installed and act as Splunk forwarder server that will collect all Events data from all the 46 (in my case) windows server, Index the events, and then forward them to "main" Linux Splunk Server that I have already installed.

I think maybe that's a good idea. But I'm not sure our client agree with this clue, because they must provide one CPU and one MS OS license. How about the Splunk License? Does my client need to buy one more separate Splunk license for that MSOS forwarder?

I have attached the new scenario based on your suggestion, please correct me if wrong. And of course, if i wrong, please explain what you means more clearly :)))

one more question: Do you have any idea about no forwarder, and "no server added for forward events"? I doubt if my client agree to provide one more server for forwarder. They have to provide cost for forwarder server, OS license, and I think more splunk license...?

Many thanks.
Attachments:
Alexander SzoenyiPermalink Reply by Alexander Szoenyi on February 3, 2010 at 11:37pm
Hello,

1. You can install so many FW you need, it is not a license question, you are only license Data/day for indexing at the Splunk Indexer.

2. You new scenario is correct.

3. If the customer do not want to invest in a new System for MS FW, use a existing MS OS System that have not really load at the moment.

4. You can also install a Splunk Server on MS OS (64bit) and you need no FW, for Linux Logs and Networks Logs use the UDP Data Input Option and install the *Nix app on the Splunk MS OS Server.

5. How many Data you want to Index each day ?

regards Alexander
Andi SusantoPermalink Reply by Andi Susanto on February 4, 2010 at 6:45pm
Hi,

1. Ok, clear..

2. Thx.

3. It's hard to say to them, because the never want to install anything on their operational server. But I'll try...

4. I worry about this, because the POC has already running for 2 weeks, and if i suggest to change the server, we must start from beginning and may cause negative mind about Splunk and the POC itself :p
Ok, I think the added server for forwarder maybe the best clue for this moment.

5. 500 MB to 1GB (depends on the POC, they can know the needs)....

Many thanks.
JHPermalink Reply by JH on September 10, 2010 at 11:36am
I have used psloglist to export windows binary event logs to human readable event logs and then copied them to the splunk server.

http://technet.microsoft.com/en-us/sysinternals/bb897544.aspx

RSS

© 2012   Created by Michael Wilde.

Badges  |  Report an Issue  |  Terms of Service