Hi all,
I'm new to Splunk and I'm having a problem getting the Universal Forwarder on Windows to forward Microsoft NPS/IAS logs to my Linux-based indexer server. I successfully have DHCP logs being forwarded and indexed from the servers in question (so I think I'm doing it right.) and if I look in the Splunk logs, it tells me that it's monitoring the directory in question, however, none of the logs seem to make it to the server.
Here's my inputs.conf:
[monitor://C:\Windows\System32\dhcp]
sourcetype = dhcp
crcSalt = <SOURCE>
alwaysOpenFile=1
disabled = false
whitelist = DHcp.+.log
[monitor://C:\Windows\System32\LogFiles]
sourcetype = ias
crcSalt = <SOURCE>
alwaysOpenFile=1
disabled = false
whitelist = IN*.log
... everything looks right to me, and as I said the DHCP logging is working great. I'm at a loss as to where I can look to troubleshoot further. Thanks for the assistance!
Change the whitelist from whitelist = IN*.log
to whitelist = IN.*\.log
Change the whitelist from whitelist = IN*.log
to whitelist = IN.*\.log
Yup - I knew it was going to be something simple, and that was it. Being primarily a Linux person I'm a little embarrassed I didn't think of that. Since it was on Windows, RegEx didn't even enter my mind! 🙂
Thanks so much!!