After installing UF on a Windows 2008R2 DC, only Active Directory logs are being forwarded.
Checks were made for Application, System, and Security Windows event logs during installation.
From reviewing previous Q & A it would seem that the inputs.conf should contain stanzas to enable such log monitoring.
Which inputs.conf should be edited? I am assuming the one in %SPLUNK_HOME%\etc\apps\Splunk_TA_windows\local.
Currently this file contains stanzas such as:
[WinEventLog://Application]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index = wineventlog
renderXml=false
After restarting the UF service, there are still no event logs being forwarded.
Well, if you don't want to use a deployment server then edit the /etc/system/local/inputs.conf then restart the forwarder.
After restart of the service.
Checking what Splunk thinks of the config files:
./splunk cmd btool list
./splunk cmd btool list --debug
The above command takes a config file parameter and shows you the ‘implied’ settings. With the –debug flag, it tells you which location it read them from.
./splunk cmd btool inputs list --debug