Collect Windows Events That Are Forwarded from Splunk Appliances
To collect events, you can configure your Windows end points to forward events to your JSA console and your Splunk indexer.
Forwarding Windows events from aggregation nodes in your Splunk deployment is not suggested. Splunk indexers that forward events from multiple Windows end points to JSA can obscure the true source of the events with the IP address of the Splunk indexer. To prevent a situation where an incorrect IP address association might occur in the log source, you can update your Windows end-point systems to forward to both the indexer and your JSA console.
Splunk events are parsed by using the Microsoft Windows Security Event Log DSM with the TCP multiline syslog protocol. The regular expression that is configured in the protocol defines where a Splunk event starts or ends in the event payload. The event pattern allows JSA to assemble the raw Windows event payload as a single-line event that is readable by JSA. The regular expression that is required to collect Windows events is outlined in the log source configuration.
To configure event collection for Splunk syslog events, you must complete the following tasks:
On your JSA appliance, configure a log source to use the Microsoft Windows Security Event Log DSM.
You must configure 1 log source for Splunk events. JSA can use the first log source to autodiscover more Windows end points.
On your Splunk appliance, configure each Splunk Forwarder on the Windows instance to send Windows event data to your JSA console or Event Collector.
To configure a Splunk Forwarder, you must edit the
output.confconfiguration files. For more information on event forwarding, see your Splunk documentation.
Ensure that no firewall rules block communication between your Splunk appliance and the JSA console or managed host that is responsible for retrieving events.
On your JSA appliance, verify the Log Activity tab to ensure that the Splunk events are forwarded to JSA.