https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-App-for-Windows-Infrastructure-Why-are-WinEventLog/m-p/166873#M15869 <P>Well, something I noticed and I have no idea if it's a problem or not, but all my DCs have their various sourcetypes set with no spaces in it.</P> <P>For instance, on the one I checked, C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-DomainController-NT6\default\inputs.conf says:</P> <PRE><CODE>[WinEventLog://File Replication Service] disabled=0 sourcetype=WinEventLog:File-Replication-Service index=wineventlog queue=parsingQueue </CODE></PRE> <P>Try changing them to dashes and not spaces in those stanza and restart the UF?</P> Fri, 14 Aug 2015 15:10:39 GMT Richfez 2015-08-14T15:10:39Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-App-for-Windows-Infrastructure-Why-are-WinEventLog/m-p/166870#M15866 <P>I have the Windows Infrastructure app installed on a Windows machine. The monitor stanza and the powershell scripts are working fine, but the Winevent logs with the following config are not indexing any data.</P> <PRE><CODE>[WinEventLog:DFS Replication] disabled=0 sourcetype="WinEventLog:DFS Replication" index=winevents queue=parsingQueue # Application and Services Logs - Directory Service [WinEventLog:Directory Service] disabled=0 sourcetype="WinEventLog:Directory Service" index=winevents queue=parsingQueue # Application and Services Logs - File Replication Service [WinEventLog:File Replication Service] disabled=0 sourcetype="WinEventLog:File Replication Service" index=winevents queue=parsingQueue </CODE></PRE> <P>Please guide me where am I going wrong?</P> Wed, 12 Aug 2015 11:56:55 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-App-for-Windows-Infrastructure-Why-are-WinEventLog/m-p/166870#M15866 amithhegde 2015-08-12T11:56:55Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-App-for-Windows-Infrastructure-Why-are-WinEventLog/m-p/166871#M15867 <P>Two semi-general suggestions:</P> <P>If it's installed on the local machine, is that local machine a Domain Controller?</P> <P>You do have a "winevents" index on the indexer this gets sent to, right? If not, create that. I believe I had a problem where that app didn't create one of the indexes, though I don't recall which one. This could be your problem.</P> Thu, 13 Aug 2015 21:12:11 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-App-for-Windows-Infrastructure-Why-are-WinEventLog/m-p/166871#M15867 Richfez 2015-08-13T21:12:11Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-App-for-Windows-Infrastructure-Why-are-WinEventLog/m-p/166872#M15868 <P>Hi Rich,</P> <P>Thanks for replyin, yes I have the "winevents" index created, and the machine I want to gt events from is not a local machine. But i have deployed the DomainController App on the machine in question.</P> <P>Kindly let me know if I am missing something. Any suggestions on this would be really helpful.</P> Fri, 14 Aug 2015 13:55:56 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-App-for-Windows-Infrastructure-Why-are-WinEventLog/m-p/166872#M15868 amithhegde 2015-08-14T13:55:56Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-App-for-Windows-Infrastructure-Why-are-WinEventLog/m-p/166873#M15869 <P>Well, something I noticed and I have no idea if it's a problem or not, but all my DCs have their various sourcetypes set with no spaces in it.</P> <P>For instance, on the one I checked, C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-DomainController-NT6\default\inputs.conf says:</P> <PRE><CODE>[WinEventLog://File Replication Service] disabled=0 sourcetype=WinEventLog:File-Replication-Service index=wineventlog queue=parsingQueue </CODE></PRE> <P>Try changing them to dashes and not spaces in those stanza and restart the UF?</P> Fri, 14 Aug 2015 15:10:39 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-App-for-Windows-Infrastructure-Why-are-WinEventLog/m-p/166873#M15869 Richfez 2015-08-14T15:10:39Z