Ingesting Windows events forwarded by Splunk heavy forwarders


We are currently moving our SIEM from Splunk to Elastic.

Due to a tight deadline and network/firewall configuration we will be adding the Elastic endpoint to our current Splunk Heavy Forwarders.

This approach works fine for syslog sources but I am unsure how to handle windows events coming from the heavy forwarders.

I doesn't seem like Winlogbeat or Elastic agent has an Input for this scenario.

Any advice would be appreciated.

1 Like

It's been a while since I looked at this approach, but they push things via HTTP right? If so you could setup an ingest pipeline in Elasticsearch and then point the forwarder to it.