Hello,
I would like to index all print events generated on Windows Server 2012 Event log. The log is located under Windows Logs, Applications and Services, Microsoft, Windows, PrintService, Operational (and Admin).
I installed a Universal Forwarder on the print server then tried to view logs on my indexer, and the only Available Logs are the standard ones. If I look at Data Inputs for Local Log File Collection, the PrintService logs are available.
Here are the contents of my local\inputs.conf
[default]
host = PS-MAINOFFICE2
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
[WinEventLog://Microsoft-Windows-PrintService/Admin]
disabled = 0
[WinEventLog://Microsoft-Windows-PrintService/Operational]
disabled = 0
Here's what shows in my splunkd.log on the print server:
02-27-2014 13:18:45.767 -0500 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - WELCheckPoint::saveCheckpointStr: Unable to open checkpoint file='C:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\microsoft-windows-printservice/operational' for write
02-27-2014 13:18:45.767 -0500 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - WinEventLogChannel::saveBookMark: Failed to save checkpoint_file='C:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\microsoft-windows-printservice/operational' for channel='microsoft-windows-printservice/operational'
02-27-2014 13:18:45.767 -0500 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - WinEventMon::processLogChannel: Failed to checkpoint for channel='microsoft-windows-printservice/operational'
Am I missing something somewhere?
Thanks,
Mike
... View more