Hi,
I have added the following lines to the inputs.conf on the universal forwarder. But those events are not getting forwarded to Splunk. Any idea as to what I've done wrong here?
[WinEventLog://Microsoft-Exchange-HighAvailability/Operational]
disabled = 0
[WinEventLog://Microsoft-Exchange-ManagedAvailability/Monitoring]
disabled = 0
[WinEventLog://MSExchange Management]
disabled = 0
[WinEventLog://Microsoft-Exchange-MailboxDatabaseFailureItems/Operational]
disabled = 0
Regards,
Amal
All of the channels seem to be reasonable, so there is no reason why they shouldn't be read unless there is a permissions issue. Check the log files on the forwarder in %SPLUNK_HOME%\var\log\splunk - most notably splunkd.log (you can do this from the splunk instance by searching index=_internal source=*splunkd.log host=) for any errors in the WinEventLog modular input.
Could you please post your Outputs.conf as well? Does it have the right path and port to the receivers?
I have 3 conf files sets. Following are the outputs.conf files.
FYI data is getting to the server. As if in Application and System logs. But not the new non-standard logs I have configured.
# Version 6.1.3
[tcpout]
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = (_audit|_introspection)
forwardedindex.filter.disable = false
# Version 6.1.3
[tcpout]
maxQueueSize = auto
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = (_audit|_internal|_introspection)
forwardedindex.filter.disable = false
indexAndForward = false
autoLBFrequency = 30
blockOnCloning = true
compressed = false
disabled = false
dropClonedEventsOnQueueFull = 5
dropEventsOnQueueFull = -1
heartbeatFrequency = 30
maxFailuresPerInterval = 2
secsInFailureInterval = 1
maxConnectionsPerIndexer = 2
forceTimebasedAutoLB = false
sendCookedData = true
connectionTimeout = 20
readTimeout = 300
writeTimeout = 300
useACK = false
blockWarnThreshold = 100
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = oracle:9997
[tcpout-server://oracle:9997]