Solved: How to edit my inputs.conf on a Windows universal ...

swannie · ‎08-17-2016

Hi all,

I'm new to Splunk and I'm having a problem getting the Universal Forwarder on Windows to forward Microsoft NPS/IAS logs to my Linux-based indexer server. I successfully have DHCP logs being forwarded and indexed from the servers in question (so I think I'm doing it right.) and if I look in the Splunk logs, it tells me that it's monitoring the directory in question, however, none of the logs seem to make it to the server.

Here's my inputs.conf:

[monitor://C:\Windows\System32\dhcp]
sourcetype = dhcp
crcSalt = <SOURCE>
alwaysOpenFile=1
disabled = false
whitelist = DHcp.+.log

[monitor://C:\Windows\System32\LogFiles]
sourcetype = ias
crcSalt = <SOURCE>
alwaysOpenFile=1
disabled = false
whitelist = IN*.log

... everything looks right to me, and as I said the DHCP logging is working great. I'm at a loss as to where I can look to troubleshoot further. Thanks for the assistance!

somesoni2 · ‎08-17-2016

Change the whitelist from whitelist = IN*.log to whitelist = IN.*\.log

View solution in original post

somesoni2 · ‎08-17-2016

Change the whitelist from whitelist = IN*.log to whitelist = IN.*\.log

swannie · ‎08-17-2016

Yup - I knew it was going to be something simple, and that was it. Being primarily a Linux person I'm a little embarrassed I didn't think of that. Since it was on Windows, RegEx didn't even enter my mind! 🙂

Thanks so much!!

How to edit my inputs.conf on a Windows universal forwarder to forward NPS/IAS logs to my Linux indexer?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk