https://community.splunk.com/t5/Getting-Data-In/UF-on-Server-2012-R2-Not-Pulling-in-WinEventLog-Application/m-p/145616#M29675 <P>Hello,<BR /> I think it is because of your syntax. Could you try the below?</P> <PRE><CODE>[WinEventLog://Application] disabled = 0 checkpointInterval = 5 current_only = 0 index = app </CODE></PRE> <P>Thanks,<BR /> L</P> Tue, 30 Sep 2014 15:43:53 GMT linu1988 2014-09-30T15:43:53Z https://community.splunk.com/t5/Getting-Data-In/UF-on-Server-2012-R2-Not-Pulling-in-WinEventLog-Application/m-p/145614#M29673 <P>This is the first time I have tried running a UF on a server 2012 R2 box. Configuration is the same as my other win boxes. Config being pushed out with deployment server. However no wineventlogs are being sent. UF is 6.1.2. Config from deployment server:</P> <PRE><CODE>[WinEventLog:Application] checkpointInterval = 5 current_only = 0 disabled = false index = app start_from = oldest </CODE></PRE> <P>Is this a bug?</P> Tue, 30 Sep 2014 15:29:29 GMT https://community.splunk.com/t5/Getting-Data-In/UF-on-Server-2012-R2-Not-Pulling-in-WinEventLog-Application/m-p/145614#M29673 jodros 2014-09-30T15:29:29Z https://community.splunk.com/t5/Getting-Data-In/UF-on-Server-2012-R2-Not-Pulling-in-WinEventLog-Application/m-p/145615#M29674 <P>The "5." by index is not in my config.</P> Tue, 30 Sep 2014 15:33:52 GMT https://community.splunk.com/t5/Getting-Data-In/UF-on-Server-2012-R2-Not-Pulling-in-WinEventLog-Application/m-p/145615#M29674 jodros 2014-09-30T15:33:52Z https://community.splunk.com/t5/Getting-Data-In/UF-on-Server-2012-R2-Not-Pulling-in-WinEventLog-Application/m-p/145616#M29675 <P>Hello,<BR /> I think it is because of your syntax. Could you try the below?</P> <PRE><CODE>[WinEventLog://Application] disabled = 0 checkpointInterval = 5 current_only = 0 index = app </CODE></PRE> <P>Thanks,<BR /> L</P> Tue, 30 Sep 2014 15:43:53 GMT https://community.splunk.com/t5/Getting-Data-In/UF-on-Server-2012-R2-Not-Pulling-in-WinEventLog-Application/m-p/145616#M29675 linu1988 2014-09-30T15:43:53Z https://community.splunk.com/t5/Getting-Data-In/UF-on-Server-2012-R2-Not-Pulling-in-WinEventLog-Application/m-p/145617#M29676 <P>That was my first thought. However after reviewing I believe it is correct. My ds is linux. Verified that the config on the UF is [WinEventLog://Application]. I believe it gets translated. Also, that config on the ds is working on all other winOS boxes.</P> Tue, 30 Sep 2014 15:55:59 GMT https://community.splunk.com/t5/Getting-Data-In/UF-on-Server-2012-R2-Not-Pulling-in-WinEventLog-Application/m-p/145617#M29676 jodros 2014-09-30T15:55:59Z https://community.splunk.com/t5/Getting-Data-In/UF-on-Server-2012-R2-Not-Pulling-in-WinEventLog-Application/m-p/145618#M29677 <P>Do you see any error? Is all the permissions given for reading the logs? Could you check if system/security logs work?</P> Tue, 30 Sep 2014 16:07:21 GMT https://community.splunk.com/t5/Getting-Data-In/UF-on-Server-2012-R2-Not-Pulling-in-WinEventLog-Application/m-p/145618#M29677 linu1988 2014-09-30T16:07:21Z https://community.splunk.com/t5/Getting-Data-In/UF-on-Server-2012-R2-Not-Pulling-in-WinEventLog-Application/m-p/145619#M29678 <P>Added Security logs to be monitored. That works, however application logs are not working. I added security log monitoring by using this configuration on the ds:</P> <P>[WinEventLog:Security]</P> <P>Which translated to</P> <P>[WinEventLog://Security]</P> <P>On the winOS box. I don't know why application logs do not get indexed but security logs do? There are no errors that I can see specific to this issue.</P> <P>Thanks</P> Tue, 30 Sep 2014 17:01:37 GMT https://community.splunk.com/t5/Getting-Data-In/UF-on-Server-2012-R2-Not-Pulling-in-WinEventLog-Application/m-p/145619#M29678 jodros 2014-09-30T17:01:37Z https://community.splunk.com/t5/Getting-Data-In/UF-on-Server-2012-R2-Not-Pulling-in-WinEventLog-Application/m-p/145620#M29679 <P>I also just upgraded the UF from 6.1.2 to 6.1.3. Issues still persists. I might try to install an older version of UF, possibly 5.x.</P> Tue, 30 Sep 2014 17:27:54 GMT https://community.splunk.com/t5/Getting-Data-In/UF-on-Server-2012-R2-Not-Pulling-in-WinEventLog-Application/m-p/145620#M29679 jodros 2014-09-30T17:27:54Z https://community.splunk.com/t5/Getting-Data-In/UF-on-Server-2012-R2-Not-Pulling-in-WinEventLog-Application/m-p/145621#M29680 <P>they won't support 2012 as per the versions. Newer version should work. Fire a support case. I will try on one of my VM tomorrow to see if it works</P> Tue, 30 Sep 2014 20:42:30 GMT https://community.splunk.com/t5/Getting-Data-In/UF-on-Server-2012-R2-Not-Pulling-in-WinEventLog-Application/m-p/145621#M29680 linu1988 2014-09-30T20:42:30Z https://community.splunk.com/t5/Getting-Data-In/UF-on-Server-2012-R2-Not-Pulling-in-WinEventLog-Application/m-p/145622#M29681 <P>There was an existing props.conf entry on the indexers to drop wineventlog:application logs by default. Removed and it is working with original syntax. Sorry for the unneeded rabbit trail. Thanks for your time.</P> Tue, 30 Sep 2014 21:46:52 GMT https://community.splunk.com/t5/Getting-Data-In/UF-on-Server-2012-R2-Not-Pulling-in-WinEventLog-Application/m-p/145622#M29681 jodros 2014-09-30T21:46:52Z