Why are Windows event logs not being forwarded aft...

berniecarolan · ‎11-18-2014

After installing UF on a Windows 2008R2 DC, only Active Directory logs are being forwarded.
Checks were made for Application, System, and Security Windows event logs during installation.
From reviewing previous Q & A it would seem that the inputs.conf should contain stanzas to enable such log monitoring.
Which inputs.conf should be edited? I am assuming the one in %SPLUNK_HOME%\etc\apps\Splunk_TA_windows\local.
Currently this file contains stanzas such as:
[WinEventLog://Application]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index = wineventlog
renderXml=false

After restarting the UF service, there are still no event logs being forwarded.

kreszan · ‎05-20-2015

Well, if you don't want to use a deployment server then edit the /etc/system/local/inputs.conf then restart the forwarder.

After restart of the service.
Checking what Splunk thinks of the config files:
./splunk cmd btool list

./splunk cmd btool list --debug

The above command takes a config file parameter and shows you the ‘implied’ settings. With the –debug flag, it tells you which location it read them from.
./splunk cmd btool inputs list --debug

Why are Windows event logs not being forwarded after installing a universal forwarder on a Windows 2008 R2 DC?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life