I have a question about EventLog monitoring by Universal Forwarder(UF).
I want to set up the EventLog monitoring on following points.
I want to monitor all EventLog after UF was installed, but not before.
I think the parameter like "ignoreOlderThan" in file monitoring is very helpful on this point.
But it's impossible to apply to EventLog monitoring according to following URL.
http://splunk-base.splunk.com/answers/51803/wineventlog-ignoreolderthan-2d
A "current_only=0" sends older events to an Indexer than UF was installed.
And "current_only=1" sends events except during UF's down.
How to get all EventLog after UF was installed?
Thank you.
By changing current_only parameter, UF can monitor all eventlogs including outage and ignore the past EventLog before UF installing.
current_only=1(inital startup)-> change to current_only=0, and UF restarts
Link page below is correct.
By changing current_only parameter, UF can monitor all eventlogs including outage and ignore the past EventLog before UF installing.
current_only=1(inital startup)-> change to current_only=0, and UF restarts
Link page below is correct.
Sorry, the answer is already existed. I'll test it.
Windows event logs – Define the start time for event collection – do not want current_only OR all history - Splunk Community - http://splunk-base.splunk.com/answers/68446/Windows-event-logs-%E2%80%93-Define-the-start-time-for-e...