https://community.splunk.com/t5/Deployment-Architecture/Windows-Forwarder-not-collecting-EventLogs/m-p/345005#M12827 <UL> <LI>I installed windows Universal forwarder on a host as a local user and updated outputs.conf with the Indexer details .</LI> <LI>However as per doc , I never got this promt during installation: <A href="http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/Data/MonitorWindowseventlogdata" target="_blank">http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/Data/MonitorWindowseventlogdata</A></LI> </UL> <P>"When the installer prompts you to specify inputs, enable the event log inputs by checking the "Event logs" checkbox."</P> <UL> <LI>I also pushed inputs.conf for eventlog collection via deployment server with the below stanza. [WinEventLog://Application] disabled=0 [WinEventLog://Security] disabled=0 [WinEventLog://System] disabled=0</LI> </UL> <P>Eventlog data is not getting collected. Also there is no output for the host on the Search Head.</P> <P>1) I noticed this error in the splunkd.log on the windows forwarder and I'm not aware of this error, also couldn't find much info on Splunk docs / splunk answers. All I did was installing the forwarder on the host. I never set up any cron for the splunk exe process and Im unable to figure out this error.</P> <P>Could someone please guide:</P> <P>08-01-2017 06:26:04.223 -0400 ERROR ExecProcessor - message from ""E:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"" splunk-powershell - Powershell::InitPowershell: Stanza get-networklatency. Invalid cron schedule: 0*/5***?</P> <P>2) Also Am I missing out an any steps for configuring the windows forwarder Eventlog collection?</P> Tue, 29 Sep 2020 15:11:17 GMT saranya_fmr 2020-09-29T15:11:17Z https://community.splunk.com/t5/Deployment-Architecture/Windows-Forwarder-not-collecting-EventLogs/m-p/345005#M12827 <UL> <LI>I installed windows Universal forwarder on a host as a local user and updated outputs.conf with the Indexer details .</LI> <LI>However as per doc , I never got this promt during installation: <A href="http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/Data/MonitorWindowseventlogdata" target="_blank">http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/Data/MonitorWindowseventlogdata</A></LI> </UL> <P>"When the installer prompts you to specify inputs, enable the event log inputs by checking the "Event logs" checkbox."</P> <UL> <LI>I also pushed inputs.conf for eventlog collection via deployment server with the below stanza. [WinEventLog://Application] disabled=0 [WinEventLog://Security] disabled=0 [WinEventLog://System] disabled=0</LI> </UL> <P>Eventlog data is not getting collected. Also there is no output for the host on the Search Head.</P> <P>1) I noticed this error in the splunkd.log on the windows forwarder and I'm not aware of this error, also couldn't find much info on Splunk docs / splunk answers. All I did was installing the forwarder on the host. I never set up any cron for the splunk exe process and Im unable to figure out this error.</P> <P>Could someone please guide:</P> <P>08-01-2017 06:26:04.223 -0400 ERROR ExecProcessor - message from ""E:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"" splunk-powershell - Powershell::InitPowershell: Stanza get-networklatency. Invalid cron schedule: 0*/5***?</P> <P>2) Also Am I missing out an any steps for configuring the windows forwarder Eventlog collection?</P> Tue, 29 Sep 2020 15:11:17 GMT https://community.splunk.com/t5/Deployment-Architecture/Windows-Forwarder-not-collecting-EventLogs/m-p/345005#M12827 saranya_fmr 2020-09-29T15:11:17Z https://community.splunk.com/t5/Deployment-Architecture/Windows-Forwarder-not-collecting-EventLogs/m-p/345006#M12828 <P>Start it over. Reinstall the forwarder and accept defaults. Only set the deployment server values during the install. Then make sure the respective apps are installed from the deployment server. If not, then start there.</P> <P>Also, make sure you have network connectivity between this endpoint and the indexers as well as the deployment server. I've seen many hours wasted on Splunk when it turns out it's just a networking blockage.</P> Wed, 02 Aug 2017 18:43:54 GMT https://community.splunk.com/t5/Deployment-Architecture/Windows-Forwarder-not-collecting-EventLogs/m-p/345006#M12828 sloshburch 2017-08-02T18:43:54Z