I have installed the UF on a number of servers and I configured ti to monitor the winodws event logs (Application, System, Security). It looks like the UF has only picked up the event logs starting from when it was installed. Is there a way to tell the UF to ingest all of the event logs from the past?
Did you change the start_from
and/or current_only
settings in inputs.conf for those wineventlog inputs? Please share the relevant inputs.conf code.
Given the default settings, both of those should be 0, resulting in Splunk also reading existing events if I'm not mistaken.
Here is my input. I did not specify either of the settings you mentioned. Is the default behavior of the UF to only ingest new data from after it is installed?
[WinEventLog://Security]
disabled = 0
index = wineventlog
[WinEventLog://Application]
disabled = 0
index = wineventlog
[WinEventLog://secRMM]
disabled = 0
index = wineventlog
[WinEventLog://ForwardedEvents]
disabled = 0
index = wineventlog
[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = 0
index = wineventlog
[WinEventLog://Microsoft-Windows-Powershell/Operational]
disabled = 0
index = wineventlog
did you solve that?