Can someone tell me the command Splunk is using to read the Windows security event log. I have one server that will send to _internal, but not send to the specified index of my input. It really seems like it can't read the event log. But I'm unsure. Are there some debug settings I can turn on? I came across this link and plan to try that tomorrow.
Hi danman06,
if you're receiving _internal logs you've correctly configured outputs.conf.
To take Windows, I suggest to use the Splunk_TA_Windows so that you can download from Splunkbase ( https://splunkbase.splunk.com/app/742/ ).
You have to:
At http://docs.splunk.com/Documentation/WindowsAddOn/latest/User/AbouttheSplunkAdd-onforWindows , you can find the documentation to install and configure Splunk_TA_Windows.
In this way you're sure to correctly configure your Windows inputs and you're ready for the next step: deploy this TA in other Forwarder using the Deployment Server, but this is another thing.
Bye.
Giuseppe