hi All,
I've setup a heavy forwarder on Server B, and forward the entries in Windows Security log to Server A (Indexer).
I configured the inputs.conf on Server B, let say at 9 AM in the morning, the entries are forwarded and indexed successfully. However, seems like it is only captures data from 9 AM onward and not including older entries.
The content of inputs.conf:
[default]
host = hostname.com
[WinEventLog:Security]
disabled = 0
index = security_index
current_only = 0
start_from = oldest
Am I missing something here?
Thank you
All looks fine. make sure that your wineventslog were present.
Did you figure this out? The exact same thing is happening to me.
the Logs were there and I could see the entries way back before the creation of the input.conf file.
So, I can't figure out why it only pick up entries after 9 AM.