Is it possible to add to the splunk forwarder via the command line items from Windows Event viewer? I know we can update inputs.conf but is it possible via the command line?
If it is possible, shouldn't monitored event log items show up when you list monitored items?
splunk list monitor
Doesn't display event log items. Thanks
edit C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf and add:
[WinEventLog://Application]
disabled = 0
[WinEventLog://Security]
disabled = 0
[WinEventLog://System]
disabled = 0
[WinEventLog://DNS Server]
disabled = 0
Then restart the windows service for the universal forwarder to re-read the changes.
Monitored Event Log Collections:
localhost
disabled:1
hosts:localhost
index:default
logs:
Application
ForwardedEvents
HardwareEvents
Internet Explorer
Security
Setup
System
Just got the above as the result of
C:\Program Files\SplunkUniversalForwarder\bin>splunk list eventlog
how to enable the log monitor ?
You should be able to make a REST call against yourself from the CLI using this endpoint: http://docs.splunk.com/Documentation/Splunk/latest/RESTAPI/RESTinput#POST_data.2Finputs.2Fwin-event-...
Thanks!
Just found this, looks like it is not possible with the CLI
http://answers.splunk.com/answers/9389/configuring-a-light-forwarder-to-monitor-the-windows-event-lo...
Give this a try for listing:
splunk list eventlog
Those don't show up in splunk list monitor
because a Windows event log entry looks like this:
[WinEventLog://<name>]
rather than this:
[monitor://<path>]
Hence they're not monitor
type stanzas.