I am new to splunk and it seems to be a fantastic product in my demoing of it. However, I am running into a hitch when smoothly integrating windows servers and splunk. As far as I know there is no native way to send logs to my SPLUNK server or have SPLUNK go out and grab the logs.
Are there any nice best practice guides out there to get me up and running with splunk in my windows environment? It would be great if I could just add the dns of each windows server with auth for each one and have splunk monitor the logs in the %systemroot%\system32\config directories.
The closest I have found is that I need a 3rd party app to send the logs in real time to the splunk server. Or am I missing something?
Ultimately it would be great if I could send the logs from every PC, server, Firewall to Splunk and have Splunk take care of all the processing but I don't know how gathering all this data is feasible if I need to install 3rd party on every windows box.
To summarize, I would like to know if there are some good guides out there for windows admins getting started with splunk. I am assuming that everything has to be pushed to splunk and it will never be designed to gather data.
Forums: SplunkAdministration: AD Guide
Previous Topic: Splunk not firing | Next Topic: Redirect core.splunkd files Linux
You just need to install Splunk (the same .exe as you used for your index server) in a lightweight forwarder mode on your Windows boxes. You can then configure them to input all the logs you wish and forward them to your index server:
http://splunk.com/doc/latest/admin/ForwardingReceiving
http://splunk.com/doc/latest/admin/ForwardingandReceiving#Lightweightforwarding
Perfect thanks! in my 'obtuseness' I did not understand that from the documentation. I will have to look into pushing that out via GPO.
Is there any benefit to going with a thrid party as opposed to the lightweight forwarder mode?
Ok this was great and all until I hit the hitch that receiving is only enabled in the enterprise version.
Am I correct in assuming that there is no way with the free server to monitor any windows boxes other than the one the server resides on?
That is correct - you need an enterprise license to receive.
If you want to give it a trial run, email sales@splunk.com and they can generate you a 30-day trial license.
If you want to test out enterprise features in a bleeding-edge context (meaning not everything will work right), try downloading our preview, which will give you our next generation of enterprise features for a few weeks:
http://www.splunk.com/index.php/preview
In preview, we do have WMI inputs which will let you remotely monitor the event logs of other Windows boxes. However, in practice I am somewhat skeptical how many boxes you can remotely monitor using WMI - if you find out let me know :)
I use other applications to monitor many boxes via WMI calls. Of course this is a kind of round robin approach and not real-time.
I was hoping that I could use splunk until our next budget year when I could migrate to enterprise if necessary. 5K is a little much to request ad-hoc. I was just hoping that since I can monitor my Linux boxes with the free server (by listening on a port) that I could monitor my windows boxes as well. However, windows boxes dont have a native tool to export logs that I am aware of and i am still looking for a small package for deployment on our network.
I don't need any other options from enterprise. I just want to parse the logs from my windows servers in one location, there are only about 15 of them and another 10 Linux servers. Initially when I reviewed the free version of splunk I thought the only limitations was the quantity of data processed. Now I am seeing that this may not be a cost effective solution for a mixed environment of our size as I wont come even close to the 500 limitation.
What I may end up doing is finding a client, a small one that I can deploy on all my PCs and Servers to ship logs out to splunk. most of the packages I have seen (which are still overkill for what I want them to do) would run me less than 2K, which is reasonable. I was hoping someone in the forums might have some suggestions for a one trick pony app that would simply export the logs initially and then export changes as they occur.
OK here is precisely what I was looking for and found. I will document here for fellow newbies.
Below you will find the files and documentation necessary to set up what is probably the best log management system available without sacrificing a co-worker.
Breakdown: This will give you an environment with a well known client app called Snare on each system you want to monitor. Each Snare client will send logs to your Splunk server. There is documentation about this somewhere on the Splunk's website but below is everything you need to get your windows/linux/unix environment's logs fully centralized.
Snaring Splunk in an AD mixed environment.
Your server: Splunk of course.
Your client: Snare. http://www.intersectalliance.com/projects/index.html
Post to this topic
You must be logged in to post a reply.