<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Why are Windows event logs not being forwarded after installing a universal forwarder on a Windows 2008 R2 DC? in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Why-are-Windows-event-logs-not-being-forwarded-after-installing/m-p/123710#M25537</link>
    <description>&lt;P&gt;After installing UF on a Windows 2008R2 DC, only Active Directory logs are being forwarded.&lt;BR /&gt;
Checks were made for Application, System, and Security Windows event logs during installation.&lt;BR /&gt;
From reviewing previous Q &amp;amp; A it would seem that the inputs.conf should contain stanzas to enable such log monitoring.&lt;BR /&gt;
Which inputs.conf should be edited? I am assuming the one in %SPLUNK_HOME%\etc\apps\Splunk_TA_windows\local.&lt;BR /&gt;
Currently this file contains stanzas such as:&lt;BR /&gt;
[WinEventLog://Application]&lt;BR /&gt;
disabled = 0&lt;BR /&gt;
start_from = oldest&lt;BR /&gt;
current_only = 0&lt;BR /&gt;
checkpointInterval = 5&lt;BR /&gt;
index = wineventlog&lt;BR /&gt;
renderXml=false&lt;/P&gt;

&lt;P&gt;After restarting the UF service, there are still no event logs being forwarded.&lt;/P&gt;</description>
    <pubDate>Mon, 28 Sep 2020 18:11:46 GMT</pubDate>
    <dc:creator>berniecarolan</dc:creator>
    <dc:date>2020-09-28T18:11:46Z</dc:date>
    <item>
      <title>Why are Windows event logs not being forwarded after installing a universal forwarder on a Windows 2008 R2 DC?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-are-Windows-event-logs-not-being-forwarded-after-installing/m-p/123710#M25537</link>
      <description>&lt;P&gt;After installing UF on a Windows 2008R2 DC, only Active Directory logs are being forwarded.&lt;BR /&gt;
Checks were made for Application, System, and Security Windows event logs during installation.&lt;BR /&gt;
From reviewing previous Q &amp;amp; A it would seem that the inputs.conf should contain stanzas to enable such log monitoring.&lt;BR /&gt;
Which inputs.conf should be edited? I am assuming the one in %SPLUNK_HOME%\etc\apps\Splunk_TA_windows\local.&lt;BR /&gt;
Currently this file contains stanzas such as:&lt;BR /&gt;
[WinEventLog://Application]&lt;BR /&gt;
disabled = 0&lt;BR /&gt;
start_from = oldest&lt;BR /&gt;
current_only = 0&lt;BR /&gt;
checkpointInterval = 5&lt;BR /&gt;
index = wineventlog&lt;BR /&gt;
renderXml=false&lt;/P&gt;

&lt;P&gt;After restarting the UF service, there are still no event logs being forwarded.&lt;/P&gt;</description>
      <pubDate>Mon, 28 Sep 2020 18:11:46 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-are-Windows-event-logs-not-being-forwarded-after-installing/m-p/123710#M25537</guid>
      <dc:creator>berniecarolan</dc:creator>
      <dc:date>2020-09-28T18:11:46Z</dc:date>
    </item>
    <item>
      <title>Re: Why are Windows event logs not being forwarded after installing a universal forwarder on a Windows 2008 R2 DC?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-are-Windows-event-logs-not-being-forwarded-after-installing/m-p/123711#M25538</link>
      <description>&lt;P&gt;Well, if you don't want to use a deployment server then edit the /etc/system/local/inputs.conf then restart the forwarder. &lt;/P&gt;

&lt;P&gt;After restart of the service.&lt;BR /&gt;
Checking what Splunk thinks of the config files:&lt;BR /&gt;
./splunk cmd btool  list &lt;/P&gt;

&lt;P&gt;./splunk cmd btool  list --debug&lt;/P&gt;

&lt;P&gt;The above command takes a config file parameter and shows you the ‘implied’ settings.  With the –debug flag, it tells you which location it read them from.&lt;BR /&gt;
./splunk cmd btool inputs list --debug&lt;/P&gt;</description>
      <pubDate>Wed, 20 May 2015 13:25:53 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-are-Windows-event-logs-not-being-forwarded-after-installing/m-p/123711#M25538</guid>
      <dc:creator>kreszan</dc:creator>
      <dc:date>2015-05-20T13:25:53Z</dc:date>
    </item>
  </channel>
</rss>

