- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: No Wineventlogs With Universal Forwarder 6.1.2...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I recently installed the newest UF on a server to test before rolling out to the rest of the environment. I am able to monitor log files on the filesystem, but not wineventlogs. I verified the configuration is correct. Is there a bug with this UF?
Any assistance would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I figured it out. There is a statement in the props.conf on the indexers that deletes wineventlog:application data that does not match some regex value. I will need to modify this statement.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I figured it out. There is a statement in the props.conf on the indexers that deletes wineventlog:application data that does not match some regex value. I will need to modify this statement.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@linu1988 thanks for the reply. Will using SOURCE_KEY = MetaData:Host make the REGEX = test123 match on the host sending the log, or will it match on characters within the log itself. I should have clarified that I have used the DEST_KEY = queue and FORMAT = indexQueue successfully in the past.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
indexQueue is mentioned, so it will be indexed. Refer the document
http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Datapipeline
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I do have another question pertaining to the transforms.conf file. Would the below config route all logs to the normal queue for host test123?
[keep_test123_data]
SOURCE_KEY = MetaData:Host
REGEX = test123
DEST_KEY = queue
FORMAT = indexQueue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
inputs.conf:
[WinEventLog:Application]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index = techsvcs
As far as I can tell, this is the same wineventlog configuration that I have working on other versions of UF.
There is also an outputs app that is working for 40+ other servers that is applied to this server to indicate how to send data to the indexers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it works on server 2008 i have tested, could you post your configuration?
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
