The outputs.conf file is unique to forwarders and it defines how forwarders send data to receivers. Check that to make sure that it is configure properly...must do this through the CLI. You can also enable the deployment monitor app to further trouble shoot while we try to figure this out. http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Startthedeploymentmonitor

I haven't modified the outputs.conf file, if I save the event viewer items to a local file and ask splunk to monitor the local file I get the same message on the splunkd log:

06-05-2012 13:43:40.103 -0400 INFO WinEventLogInputProcessor - main-thread: Finished processing existing Windows Event Log 'C:\Program Files (x86)\EBSCO\SDIAlertService\Logs\temp.evtx': total_events='0' with empty_msg='0'.

However this file is about 12MB in size and contains about 200 events. I installed the UF through the GUI.

What does outputs.conf on the UF read?

I am now monitoring the Windows event log directory, the corresponding entry on my inputs.conf file says:

[monitor://C:WindowsSystem32WinevtLogsApplication.evtx]
disabled = false

I can view the entries through the Event Viewer. However these aren't being forwarded by the forwarder, the splunkd log file entry shows:

06-05-2012 13:21:05.665 -0400 INFO WinEventLogInputProcessor - main-thread: Finished processing existing Windows Event Log 'C:WindowsSystem32WinevtLogsApplication.evtx': total_events='0' with empty_msg='0'.

Any suggestions/work arounds would be appreciated.

Yes, the application event log has data which I can view through the Event Viewer. The machine is running Windows 2008, I was reading about the alwaysOpenFile option ... would this be applicable in this case?