I'm trying to monitor Forwarded Events logs on Windows (not application, system, etc.)?
My inputs.conf stanza looks like this:
[WinEventLog://Forwarded Events]
Doesn't seem to work. Anyone had success monitoring this type of event log?
Any help would be much appreciated.
Thanks!
Hi ericlarsen,
just try this. Ignore the Space between "Forwarded Events".
[WinEventLog://ForwardedEvents]
index= YOUR_INDEX
disabled = 0
regards
Hi ericlarsen,
just try this. Ignore the Space between "Forwarded Events".
[WinEventLog://ForwardedEvents]
index= YOUR_INDEX
disabled = 0
regards
Unfortunately that did not fix the issue.
Then you have a problem on any other place.
Example from the official inputs.conf documentation of Splunk.
Monitor Windows event logs ForwardedEvents, this time only gathering the
events happening after first starting to monitor, going forward in time.
[WinEventLog://ForwardedEvents]
disabled = 0
start_from = oldest
current_only = 1
batch_size = 10
checkpointInterval = 5
ignoring the extra parameter this is the right stanza for the inputs.conf.
Not sure why, but it works now. Thanks!
For those curious, I figured out why it just started suddenly working. I didn't have 'Restart Splunk' selected for the app on the Deployment Manager.
Again, TStrauch, thanks for the help with the monitor stanza.
Try adding the sourcetype and index in the stanza so it looks like this..
[WinEventLog://System]
index = YOUR_INDEX
sourcetype = winEventLogs
Also, do you have the outputs.conf
pointing to your indexer?