From Splunk Wiki
Choosing among Snare, WMI remote polling, and local Splunk forwarders
Many Windows administrators today use the free GNU tool Snare to collect and forward Windows Event logs from remote machines to a central server. When introducing Splunk into an existing Snare environment, or when considering the best architecture for distributed log collection with Splunk, you can choose to continue (or start) using Snare on the remote machines, pull the logs using WMI remote polling, or have a light weight Splunk forwarder do the work.
Each has their own advantages and disadvantages. Here is the recommended series of questions to ask yourself when making the decision which technology to use:
- Are you able to run agents or forwarders on the boxes at all? Some environments prohibit or severely restrict the code that can be run on certain production boxes for availability or security reasons. If you absolutely cannot run outside products, you must use WMI remote polling from a Splunk indexer.
- Are Event Logs the only data you want to collect? Snare has an agent for Event Logs, and a separate agent for text files. If you want more than Event Logs – for example, Exchange mail logs, Registry changes, WMI performance data, etc – you’ll need additional agents. Since Splunk can do all of those, if you need more than Event Logs consider using light weight Splunk forwarding.
- Are you more concerned with reliability or interoperability in the transport protocol? Since Splunk forwarders maintain the original multi-line format of data, such as EventLogs, they cannot use generic protocols like syslog. However, Splunk to Splunk forwarding protocol is much more reliable and secure than syslog or other stateless alternatives (e.g. plain UDP syslog cannot be encrypted and does not guarantee message delivery). Forwarders communicate over TCP with optional SSL encryption, and buffer data locally in the event of a network outage.
In addition to these functional requirements, here are a list of common questions around resource utilization:
- What is the resource impact on the remote host? The Snare agent has approximately a 3MB RAM and 1MB disk footprint. Splunk forwarders have about an 18MB RAM and 40MB disk footprint. Although CPU usage is slightly higher with the Splunk forwarder, in most cases it remains only a couple of percent of a single core and is negligible. WMI has a much higher footprint and CPU requirement than either Snare or Splunk forwarders. Several services must be active for WMI to function; if you don’t already have those services running for some other purpose, WMI is the most computationally expensive option.
- What is the impact on network load? Splunk forwarders can be throttled to process a limited number of KBps. Snare does not have this capability. The polling nature of WMI may lead to huge bursts of data transmissions.
- What is the resource impact to the Splunk indexer? The reason Splunk forwarders have a higher CPU usage than Snare is that they distribute some of the pipeline and extraction load to the remote machine. The extra load is negligible on each forwarder, but when multiplied among hundreds or thousands of remote machines is not trivial at the central indexer. If you want to optimize for cost per compute cycle, Splunk forwarders are probably a better bet. If you have very resource constrained machines, Snare is probably a better choice.
Lastly, there is a question of what is easy for you to manage. For that, consider your own experiences, review the Splunk deployment guide – especially the deployment server section – and compare that to the Snare community forums on mass deployment and management.