After installing UF on a Windows 2008R2 DC, only Active Directory logs are being forwarded.
Checks were made for Application, System, and Security Windows event logs during installation.
From reviewing previous Q & A it would seem that the inputs.conf should contain stanzas to enable such log monitoring.
Which inputs.conf should be edited? I am assuming the one in %SPLUNK_HOME%\etc\apps\Splunk_TA_windows\local.
Currently this file contains stanzas such as:
[WinEventLog://Application]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index = wineventlog
renderXml=false
After restarting the UF service, there are still no event logs being forwarded.
... View more