https://community.splunk.com/t5/Getting-Data-In/Why-are-Windows-events-logs-no-longer-being-forwarded-after/m-p/173504#M34896 <P>figured it out - forgot //</P> <P>[default]</P> <P>[WinEventLog://Application]<BR /> checkpointInterval = 5<BR /> current_only = 1<BR /> disabled = 0<BR /> start_from = oldest<BR /> index = tu_windows</P> <P>[WinEventLog://Security]<BR /> checkpointInterval = 5<BR /> current_only = 1<BR /> disabled = 0<BR /> start_from = oldest<BR /> blacklist = 5156|4656|33205|5158<BR /> index = tu_windows</P> <P>[WinEventLog://System]<BR /> checkpointInterval = 5<BR /> current_only = 1<BR /> disabled = 0<BR /> start_from = oldest<BR /> index = tu_windows</P> Mon, 28 Sep 2020 18:36:18 GMT ebailey 2020-09-28T18:36:18Z https://community.splunk.com/t5/Getting-Data-In/Why-are-Windows-events-logs-no-longer-being-forwarded-after/m-p/173503#M34895 <P>We just upgraded a very old UF on Windows 2008 R2 to 6.1.2 None of the Windows event logs are being forwarded to the indexer though the UF logs and and custom application logs are being forwarded to the indexer so I know the UF can forward data.</P> <P>The inputs.conf for the Windows Event logs</P> <P>[default]</P> <P>[WinEventLog:Application]<BR /> checkpointInterval = 5<BR /> current_only = 1<BR /> disabled = 0<BR /> start_from = oldest<BR /> index = test</P> <P>[WinEventLog:Security]<BR /> checkpointInterval = 5<BR /> current_only = 1<BR /> disabled = 0<BR /> start_from = oldest<BR /> blacklist = 5156|4656|33205|5158<BR /> index = test</P> <P>[WinEventLog:System]<BR /> checkpointInterval = 5<BR /> current_only = 1<BR /> disabled = 0<BR /> start_from = oldest<BR /> index = test</P> <P>We have a lot of other UF installs that are using this inputs.conf so I am confused why this it not working.</P> <P>The only related message I am seeing is:</P> <P>INFO ModularInputs - No stanzas found for scheme "WinEventLog" in inputs.conf at script (re)start.</P> <P>Any ideas why the inputs.conf is being ignored?</P> <P>Thanks</P> Mon, 28 Sep 2020 18:34:29 GMT https://community.splunk.com/t5/Getting-Data-In/Why-are-Windows-events-logs-no-longer-being-forwarded-after/m-p/173503#M34895 ebailey 2020-09-28T18:34:29Z https://community.splunk.com/t5/Getting-Data-In/Why-are-Windows-events-logs-no-longer-being-forwarded-after/m-p/173504#M34896 <P>figured it out - forgot //</P> <P>[default]</P> <P>[WinEventLog://Application]<BR /> checkpointInterval = 5<BR /> current_only = 1<BR /> disabled = 0<BR /> start_from = oldest<BR /> index = tu_windows</P> <P>[WinEventLog://Security]<BR /> checkpointInterval = 5<BR /> current_only = 1<BR /> disabled = 0<BR /> start_from = oldest<BR /> blacklist = 5156|4656|33205|5158<BR /> index = tu_windows</P> <P>[WinEventLog://System]<BR /> checkpointInterval = 5<BR /> current_only = 1<BR /> disabled = 0<BR /> start_from = oldest<BR /> index = tu_windows</P> Mon, 28 Sep 2020 18:36:18 GMT https://community.splunk.com/t5/Getting-Data-In/Why-are-Windows-events-logs-no-longer-being-forwarded-after/m-p/173504#M34896 ebailey 2020-09-28T18:36:18Z https://community.splunk.com/t5/Getting-Data-In/Why-are-Windows-events-logs-no-longer-being-forwarded-after/m-p/595842#M104059 <P>I had a similar issue however the solution was different because I had the correct syntax (I had the forward slashes).&nbsp;</P><P>I took the Windows TA and decided that for the WinNetMon stanza I only wanted it to go to specific windows servers as opposed to all of them in my environment. And instead of deleting the stanzas from the Splunk_TA_Windows/local/inputs.conf , I set disabled = 1. So when I created another app specific for the WinNetMon stanza and set that disabled = 0. The disabled = 1 took precedence over my custom app, hence Splunk could not find a WinNetMon stanza.&nbsp;<BR /><BR />Deleting the WinNetMon stanzas from Splunk_TA_Windows/local/inputs.conf fixed my issue.</P> Thu, 28 Apr 2022 18:27:34 GMT https://community.splunk.com/t5/Getting-Data-In/Why-are-Windows-events-logs-no-longer-being-forwarded-after/m-p/595842#M104059 jacbob 2022-04-28T18:27:34Z