Hello, we are looking to collect Windows (Application, Security, and System) logs from 14 Domain Controllers. By default the Universal Forwarder begins indexing the logs from the systems earliest event to the most recent. Is there a way we can tell the forwarder to start collection of new events, and not index the old log files?
Thanks!
Via inputs.conf (local): current_only = 1
or
Via wmi.conf (remote) : current_only = 1
This solution didn't work with a UF v 7.3.2 and Windows Server 2012R2 standard.
Thanks ysouchon, added the following to inputs.conf:
[WinEventLog:Security]
disabled = 0
start_from = oldest
current_only = 1
index = indexname
[WinEventLog:System]
disabled = 0
start_from = oldest
current_only = 1
index = indexname
[WinEventLog:Application]
disabled = 0
start_from = oldest
current_only = 1
index = indexname
Via inputs.conf (local): current_only = 1
or
Via wmi.conf (remote) : current_only = 1
This solution didn't work with a UF v 7.3.2 and Windows Server 2012R2 standard.