Spelunking Windows with Splunk

11/10/2020

Remote Windows data overview

Splunk Enterprise collects data from Windows operating systems in one of two ways:

• Splunk forwarders
• Windows Management Instrumentation (WMI)

For now we will focus only on the Forwarders

Splunk Forwarders

Using a universal forwarder to get remote Windows data is one of the best ways of collecting data whenever possible. The Forwarder uses minimal network and disk resources on the installed machines and can be installed as a non-privileged user. With administrative access to the machine the Forwarder does not require additional authentication to send data from the local machine, as WMI does. The forwarder scales well in large environments and is easy to install manually or through various deployment toools such as System Center Configuration Manager (SCCM) or a third party distribution solution such as Puppet. After installing a universal forwarder, information is gathered locally and sent to a Splunk deployment. Forwarders can be configured to send various types of data and can each have special plugins attached. This makes forwarders ideal when individual hosts need to have slight modifications.