Yesterday, one of our analysts came to me looking for some Splunk events he could use to relate an outage of one of our websites to other events in our environment. The website monitor is using WebWatchBot 7. I didn't find any events coming from the WebWatchBot server that seemed to have any bearing on the website in question. When I started exploring the logs on the WebWatchBot server, I found that none of them were being forwarded to our Splunk Search Peers.
The analyst and I discussed briefly what it would take to forward "interesting" events from WebWatchBot, and we agreed it would likely take a significant effort to ensure proper and useful indexing. He also mentioned that the logs can be quite voluminous, and that we'd likely need some kind of filtering to prevent overloading our Splunk license.
Has anyone done any work to forward WebWatchBot logs to Splunk?
↧