I met an error to start collecting WinEventLog when starting Universal Forwarder 6.6.2 on Windows Server 2008R2(x64). The streamfwd.exe worked well on the same host. Do you have same situation, and idea?
10-29-2017 19:38:05.421 +0900 ERROR ModularInputs - Unable to initialize modular input "WinEventLog" defined in the system context: Introspecting scheme=WinEventLog: script running failed (exited with code 0).
10-29-2017 19:38:05.156 +0900 ERROR ModularInputs - Introspecting scheme=WinEventLog: killing process, because executing it took too long (over 30000 msecs).
If this is because of the checkpoint file, step 2 will not produce events. Step 4 should produce events.
On the UF, run command prompt as administrator
Navigate to $SPLUNK_HOME\bin
Run the below two commands,
$ set SPLUNK_HOME="c:\program files\SplunkUniversalForwarder"
$ splunk cmd splunkd print-modinput-config WinEventLog
You can consider upgrading the affected Splunk UF's as well.
Cheers!