I'm not sure where to look, but I was trying to capture Event ID/Code 4672, which is in the Windows Security logs, but I cannot find it within Splunk. I am using Universal Forwaders and so far I am seeing everything I'm looking for except that Event code. Any idea where I can look to see if it's being filtered? I've looked in E:>Program Files>Splunk>etc>system>local at the transforms.conf file and don't see it listed. I wasn't sure if that is a filter of what to include or exclude.
Thanks.
... View more