Universal Forwarder Not Forwarding Windows Event Logs

itsomana — Thu, 20 Oct 2011 14:00:53 GMT

I have just installed a Universal forwarder on a windows server and during the installation I selected the option to index windows event logs and performance logs.

I have checked splunk and can see it indexing performance logs, however it is not indexing the windows event logs. I can see these logs set-up in the following location.

C:\Program Files\SplunkUniversalForwarder\etc\apps\MSICreated\local\inputs.conf

As it is a windows server, do I need to copy in a windows folder where the inputs.conf file can be updated in window\local folder

Re: Universal Forwarder Not Forwarding Windows Event Logs

JSapienza — Thu, 20 Oct 2011 14:35:42 GMT

No you shouldn't need to copy anything if the stanza's are properly enabled in the inputs.conf such as:

[WinEventLog:Application]

disabled = false

[WinEventLog:Security]

disabled = false

[WinEventLog:System]

disabled = false

Have you viewed the splunkd.log
Open the %SPLUNK_HOME%\var\log\splunk\splunkd.log file and search for wmi or error .

topic Universal Forwarder Not Forwarding Windows Event Logs in Getting Data In

Universal Forwarder Not Forwarding Windows Event Logs

Re: Universal Forwarder Not Forwarding Windows Event Logs