I have universal forwarder installed on a Windows 2008 box. I have a directory c:\logs\firewall setup where I am pointing the Windows firewall logs. I want to have the universal forwarder pick these up and send them to the indexer. I am newb and have read through the doc and its not really clear to me on how to do this. I know I need to edit the inputs.conf but I am not sure of the syntax.
Any help is appreciated.
Just edit your inputs.conf in $SPLUNK_HOME/etc/system/local/. If inputs.conf doesn't exist, add the file.
Do something like this:
[monitor:://C:\Logs\firewall]
disabled = 0
sourcetype = my_sourcetype
host = my_hostname
For details, see:
http://www.splunk.com/base/Documentation/latest/admin/inputsconf
I hope this points you in the right direction.
actually: [monitor://c:\\c:\logs\firewall]
, i.e., only one colon. You don't need the disabled=0
clause, that's default, and most of hte time you don't need the hostname if the local forwarder host is correct.