I have read all of the above, but I think I'm confused on just what to do to get the indexing going.
We are wanting to pick up the following path on some of our windows servers: %SystemRoot%\System32\Winevt\Logs\Application.evtx
, but I'm not certain what to put in the sourcetype for those files.
Can I select an index rather than the main (which we don't want to use)?
Any assistance would be helpful, thank you!
Hi @nls7010 ,
Don't try to ingest the Windows event logs directly. You'll want to use the Windows TA for Splunk (https://splunkbase.splunk.com/app/742/#/overview) and then refer to the documentation for indexing Windows Events from the event log (https://docs.splunk.com/Documentation/WindowsAddOn/6.0.0/User/Configuration).
Specifically you'll want to enable collection for the Application log in inputs.conf on your Windows Universal Forwarder:
inputs.conf
[WinEventLog://Application]
disabled = 0