Hello,
My organization is looking into using Splunk as a central log server. I have successfully installed Splunk on a Ubuntu 12.04 LTS box. I'm having a hard time finding documentation explaining how to get event logs, IIS logs, etc. to be view-able in the Splunk web interface. I found a ton of information on the universal forwarders; however, after installing the forwarder on one of our Windows boxes, I'm not really sure where to proceed. I have Splunk listening on 9997 for forwarders and in theory everything should be working (to my knowledge). I may have a misunderstanding of how something is supposed to be working; however, I'm not really sure where to look. I've spent a lot of time looking at a bunch of documentation...I also can't seem to find a youtube video or something that walks through the process on both the host with forwarder installed and the Splunk server itself. Please help 😞
Thank you,
Christopher L. Medina
This should give you some details about configuring Windows Event data consumption ( see section "Collect event logs from a remote Windows machine" onwards)
http://docs.splunk.com/Documentation/Splunk/6.1.2/Data/Monitorwindowsdata
This should help for IIS data.
http://answers.splunk.com/answers/110846/help-configuring-universal-forwarder-with-iis-logs
General information on how to use forwarders available here.
http://docs.splunk.com/Documentation/Splunk/6.1.2/Data/Usingforwardingagents