<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Universal Forwarder Install - Doesn't Forward System or Security Logs in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-Install-Doesn-t-Forward-System-or-Security/m-p/55016#M10709</link>
    <description>&lt;P&gt;That conf file looks correct, yes. I'm afraid I can't say anything about why the events weren't picked up to begin with.&lt;/P&gt;</description>
    <pubDate>Thu, 07 Mar 2013 21:27:56 GMT</pubDate>
    <dc:creator>Ayn</dc:creator>
    <dc:date>2013-03-07T21:27:56Z</dc:date>
    <item>
      <title>Universal Forwarder Install - Doesn't Forward System or Security Logs</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-Install-Doesn-t-Forward-System-or-Security/m-p/55013#M10706</link>
      <description>&lt;P&gt;Hello,&lt;/P&gt;

&lt;P&gt;I installed the Universal Forwarder v4.3.5 on a Windows 7 system, and during the install I checked off the boxes to monitor the Application, Security, and System event logs.  When the installation was complete I checked out my Splunk Indexer, and noticed that only the Application log was being forwarded.&lt;/P&gt;

&lt;P&gt;I checked out my &lt;CODE&gt;$SPLUNK_HOME\etc\system\local\inputs.conf&lt;/CODE&gt; file, and all it contained was:&lt;/P&gt;

&lt;P&gt;&lt;CODE&gt;[default]&lt;BR /&gt;
host = my_host&lt;BR /&gt;
[script://$SPLUNK_HOME\bin\scripts\splunk-perfmon.path]&lt;BR /&gt;
disabled = 0&lt;/CODE&gt;&lt;/P&gt;

&lt;P&gt;I had to manually add:&lt;/P&gt;

&lt;P&gt;&lt;CODE&gt;[WinEventLog:Application]&lt;BR /&gt;
disabled = 0 &lt;BR /&gt;
[WinEventLog:Security]&lt;BR /&gt;
disabled = 0 &lt;BR /&gt;
[WinEventLog:System]&lt;BR /&gt;
disabled = 0&lt;/CODE&gt;&lt;/P&gt;

&lt;P&gt;to get the logs to show up on my Indexer.  Is there a reason why the Universal Forwarder isn't doing this when I select those options during the install?&lt;/P&gt;

&lt;P&gt;Thank you!&lt;/P&gt;</description>
      <pubDate>Thu, 07 Mar 2013 20:35:34 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-Install-Doesn-t-Forward-System-or-Security/m-p/55013#M10706</guid>
      <dc:creator>mwilhide</dc:creator>
      <dc:date>2013-03-07T20:35:34Z</dc:date>
    </item>
    <item>
      <title>Re: Universal Forwarder Install - Doesn't Forward System or Security Logs</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-Install-Doesn-t-Forward-System-or-Security/m-p/55014#M10707</link>
      <description>&lt;P&gt;Splunk configuration files can reside in a number of different places. In the case of the settings that are created when you install a Universal Forwarder, they reside in an app called "MSICreated" (iirc). The app in turn resides under &lt;CODE&gt;$SPLUNK_HOME\etc\apps&lt;/CODE&gt;.&lt;/P&gt;</description>
      <pubDate>Thu, 07 Mar 2013 21:02:09 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-Install-Doesn-t-Forward-System-or-Security/m-p/55014#M10707</guid>
      <dc:creator>Ayn</dc:creator>
      <dc:date>2013-03-07T21:02:09Z</dc:date>
    </item>
    <item>
      <title>Re: Universal Forwarder Install - Doesn't Forward System or Security Logs</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-Install-Doesn-t-Forward-System-or-Security/m-p/55015#M10708</link>
      <description>&lt;P&gt;Interesting, thanks for the info.  I just checked that inputs.conf file, and this is what it looks like:&lt;BR /&gt;
&lt;CODE&gt;[WinEventLog:Application]&lt;BR /&gt;
disabled = 0&lt;BR /&gt;
[WinEventLog:ForwardedEvents]&lt;BR /&gt;
[WinEventLog:HardwareEvents]&lt;BR /&gt;
[WinEventLog:Internet Explorer]&lt;BR /&gt;
[WinEventLog:Security]&lt;BR /&gt;
disabled = 0&lt;BR /&gt;
[WinEventLog:Setup]&lt;BR /&gt;
[WinEventLog:System]&lt;BR /&gt;
disabled = 0&lt;/CODE&gt;&lt;/P&gt;

&lt;P&gt;I wonder why I had to modify the &lt;CODE&gt;\etc\system\local\inputs.conf&lt;/CODE&gt; file in order to get everything working?  The inputs.conf file in &lt;CODE&gt;\etc\apps&lt;/CODE&gt; directory looks like it should have forwarded events like I wanted.&lt;/P&gt;

&lt;P&gt;Thanks for your response!&lt;/P&gt;</description>
      <pubDate>Thu, 07 Mar 2013 21:07:46 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-Install-Doesn-t-Forward-System-or-Security/m-p/55015#M10708</guid>
      <dc:creator>mwilhide</dc:creator>
      <dc:date>2013-03-07T21:07:46Z</dc:date>
    </item>
    <item>
      <title>Re: Universal Forwarder Install - Doesn't Forward System or Security Logs</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-Install-Doesn-t-Forward-System-or-Security/m-p/55016#M10709</link>
      <description>&lt;P&gt;That conf file looks correct, yes. I'm afraid I can't say anything about why the events weren't picked up to begin with.&lt;/P&gt;</description>
      <pubDate>Thu, 07 Mar 2013 21:27:56 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-Install-Doesn-t-Forward-System-or-Security/m-p/55016#M10709</guid>
      <dc:creator>Ayn</dc:creator>
      <dc:date>2013-03-07T21:27:56Z</dc:date>
    </item>
  </channel>
</rss>

