Hi Splunk Community,
Can one configure inputs.conf to forward events based on a "Custom Views" in Event Viewer?
Specifically, we are looking to forward the events Certification Authority events.
Thanks
Take a look at my answer here (the nested one) in case that helps:
https://answers.splunk.com/answers/371126/is-it-possible-to-transport-data-from-a-windows-ev.html
In summary:
[WinEventLog://Path-To-Your-View]
disabled = 0
start_from = oldest
index = yourindexname
For example:
[WinEventLog://Microsoft-Windows-TaskScheduler/Operational]
Thanks,
J