I can't seem to get this figured out. I've tried adding the stanzas to the output.conf file on my fileserver where the SplunkUniversalForwarder is installed, but nothing from the security log ever shows up. Here's the end of my splunkd log.

Windows Server 2012 R2 for both the Indexer and FileServer I'm attempting to pull logs from.

03-15-2016 12:54:54.552 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk->admon.exe"" splunk-admon - ADMonitorThread::launchADMonitor: Failed to initialize ADMonitor='admon://NearestDC', targedDC='(null)'

ad nauseum.

Here is my inputs.conf (copied to /etc/var/system/local) --

Version 6.3.3

DO NOT EDIT THIS FILE!

Changes to default files will be lost on update and are difficult to

manage and support.

Please make any changes to system defaults by overriding them in

apps or $SPLUNK_HOME/etc/system/local

(See "Configuration file precedence" in the web documentation).

To override a specific setting, copy the name of the stanza and

setting to the file where you wish to override it.

This file contains possible attributes and values you can use to

configure inputs, distributed inputs and file system monitoring.

[default]
index = default
_rcvbuf = 1572864
host = $decideOnStartup
evt_resolve_ad_obj = 0
evt_dc_name=
evt_dns_name=

[blacklist:$SPLUNK_HOME\etc\auth]

[monitor://$SPLUNK_HOME\var\log\splunk]
index = _internal

[monitor://$SPLUNK_HOME\etc\splunk.version]
_TCP_ROUTING = *
index = _internal
sourcetype=splunk_version

[batch://$SPLUNK_HOME\var\spool\splunk]
move_policy = sinkhole
crcSalt =

[batch://$SPLUNK_HOME\var\spool\splunk...stash_new]
queue = stashparsing
sourcetype = stash_new
move_policy = sinkhole
crcSalt =

[fschange:$SPLUNK_HOME\etc]

poll every 10 minutes

pollPeriod = 600

generate audit events into the audit index, instead of fschange events

signedaudit=true
recurse=true
followLinks=false
hashMaxSize=-1
fullEvent=false
sendEventMaxSize=-1
filesPerDelay = 10
delayInMills = 100

[udp]
connection_host=ip

[tcp]
acceptFrom=*
connection_host=dns

[splunktcp]
route=has_key:_replicationBucketUUID:replicationQueue;has_key:_dstrx:typingQueue;has_key:_linebreaker:indexQueue;absent_key:_linebreaker:parsingQueue
acceptFrom=*
connection_host=ip

[script]
interval = 60.0
start_by_shell = false

[SSL]

default cipher suites that splunk allows. Change this if you wish to increase the security

of SSL connections, or to lower it if you having trouble connecting to splunk.

cipherSuite = ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
allowSslRenegotiation = true
sslQuietShutdown = false

Allow only sslv3 and above connections

sslVersions = *,-ssl2

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
interval = 10000000
source = wmi
sourcetype = wmi
queue = winparsing
persistentQueueSize=200MB

default single instance modular input restarts

Windows platform specific input processor.

[WinEventLog://Application]
disabled = 0
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5

only index events with these event IDs.

whitelist = 0-2000,3001-10000

exclude these event IDs from being indexed.

blacklist = 2001-3000[WinEventLog://System]
disabled = 0"