https://community.splunk.com/t5/Getting-Data-In/How-to-edit-my-universal-forwarder-monitor-stanza-to-index/m-p/230772#M44926 <P>I am trying to monitor the Active Directory Server for logs. I have a universal forwarder installed on a Windows AD Server, and there are logs at the following path: </P> <PRE><CODE>%SystemRoot%\System32\Winevt\Logs\ </CODE></PRE> <P>How can I monitor it? I have tried the following, but it does not work:</P> <PRE><CODE>[monitor://%SystemRoot%/System32\Winevt\Logs] targetDC = hqdc06 baseline = false disabled = 0 index = wineventlog renderXml=false Sourcetype = Active Directory </CODE></PRE> Wed, 16 Nov 2016 21:23:54 GMT anaqvi 2016-11-16T21:23:54Z https://community.splunk.com/t5/Getting-Data-In/How-to-edit-my-universal-forwarder-monitor-stanza-to-index/m-p/230772#M44926 <P>I am trying to monitor the Active Directory Server for logs. I have a universal forwarder installed on a Windows AD Server, and there are logs at the following path: </P> <PRE><CODE>%SystemRoot%\System32\Winevt\Logs\ </CODE></PRE> <P>How can I monitor it? I have tried the following, but it does not work:</P> <PRE><CODE>[monitor://%SystemRoot%/System32\Winevt\Logs] targetDC = hqdc06 baseline = false disabled = 0 index = wineventlog renderXml=false Sourcetype = Active Directory </CODE></PRE> Wed, 16 Nov 2016 21:23:54 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-edit-my-universal-forwarder-monitor-stanza-to-index/m-p/230772#M44926 anaqvi 2016-11-16T21:23:54Z https://community.splunk.com/t5/Getting-Data-In/How-to-edit-my-universal-forwarder-monitor-stanza-to-index/m-p/230773#M44927 <P>Hi anaqvi,<BR /> probably the problem is the slash (/) after %SystemRoot%.<BR /> Every way, aren't you able to define %SystemRoot%?</P> <P>Bye.<BR /> Giuseppe</P> Fri, 18 Nov 2016 12:15:41 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-edit-my-universal-forwarder-monitor-stanza-to-index/m-p/230773#M44927 gcusello 2016-11-18T12:15:41Z