Getting Data In

How to capture all entries in Windows Security Logs at first run

nswcowboy
New Member

hi All,

I've setup a heavy forwarder on Server B, and forward the entries in Windows Security log to Server A (Indexer).

I configured the inputs.conf on Server B, let say at 9 AM in the morning, the entries are forwarded and indexed successfully. However, seems like it is only captures data from 9 AM onward and not including older entries.

The content of inputs.conf:

[default]

host = hostname.com

[WinEventLog:Security]

disabled = 0

index = security_index

current_only = 0

start_from = oldest

Am I missing something here?

Thank you

Tags (1)
0 Karma

yannK
Splunk Employee
Splunk Employee

All looks fine. make sure that your wineventslog were present.

0 Karma

kmcconnell
Path Finder

Did you figure this out? The exact same thing is happening to me.

0 Karma

nswcowboy
New Member

the Logs were there and I could see the entries way back before the creation of the input.conf file.
So, I can't figure out why it only pick up entries after 9 AM.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...