I am trying determine the best practice for getting windows event logs into hdfs, via flume, without installing something on the event log source servers. I’ve unearthed several possible options, but none seem like a standard solution to what i would think an extremely common scenario.
1. put an agent on the event log source server – too invasive, would impact existing server etc
2. move logs into a directory and use File Spool Directory agent – this would be an extra copy step and additional overhead, and would likely require another process on the log source server.
3. Configure port forwarding via winrm quickconfig. I didn’t really see much doc on this, and do not know how invasive it is to the event log source server and so am not confident as an option.
4. Configure network shares that would allow for an Exec agent to read the logs. I guess windows shares on each event log source server and then Samba on my linux/flume box could work?