-2

Splunk Universal Forwarded Windows Server 2019

When configuring the forwarder, a large variety of logs can be forwarded :

Application Logs Security Log System Log Forwarded Events Log Setup Log

In addition, Performance Monitor can be logged :

CPU Load Memory Disk Space Network Stats

Additionally, Active Directory Monitoring can be enabled.

While it's tempting to check all the boxes so that max data is available during troubleshooting, I'm wondering about impact on server performance.

Is there any best practice here ? Is it ok to forward everything ? Or what is probably best left out ?

BaltoStar
  • 197
  • 3
  • 14
  • 2
    Actually a Windows endpoint has hundreds of event logs, any of which can be forwarded. There isn't a best practice, it's based on the needs of your organization. – Greg Askew Nov 17 '22 at 10:31

1 Answers1

0

This is a good question, but it's unanswerable in any practical way without knowing your use cases

As @Greg Askew commented, there is no "best practice" - it's whatever you:

  • want to collect, and
  • need to collect

For one organization, you may need to know every time a local printer is used and by whom

Another group may only care when a non-domain user logs in

And on and on for 10s of 1000s of possible interactions

Explain your use case(s), and we can help better :)

warren
  • 18,369
  • 23
  • 84
  • 135