Score:-2

Splunk Universal Forwarder on Windows : how many logs to forward?

de flag

Splunk Universal Forwarded Windows Server 2019

When configuring the forwarder, a large variety of logs can be forwarded :

Application Logs Security Log System Log Forwarded Events Log Setup Log

In addition, Performance Monitor can be logged :

CPU Load Memory Disk Space Network Stats

Additionally, Active Directory Monitoring can be enabled.

While it's tempting to check all the boxes so that max data is available during troubleshooting, I'm wondering about impact on server performance.

Is there any best practice here ? Is it ok to forward everything ? Or what is probably best left out ?

cn flag
Actually a Windows endpoint has hundreds of event logs, any of which can be forwarded. There isn't a best practice, it's based on the needs of your organization.
Score:0
cn flag

This is a good question, but it's unanswerable in any practical way without knowing your use cases

As @Greg Askew commented, there is no "best practice" - it's whatever you:

  • want to collect, and
  • need to collect

For one organization, you may need to know every time a local printer is used and by whom

Another group may only care when a non-domain user logs in

And on and on for 10s of 1000s of possible interactions

Explain your use case(s), and we can help better :)

I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.