topic Re: Re-configuring Universal Forwarder After Install in Getting Data In

Re-configuring Universal Forwarder After Install

Brazzz — Tue, 01 May 2012 19:41:35 GMT

Currently have a universal forwarder installed.

During set up it was set to forward PerfMon.

I would like to add Windows Event Logs.
(App Logs, Security Logs, Sys Logs, Forwarder Event Logs, and Setup Logs)
How would I go about re-configuring the universal forwarder?

Re: Re-configuring Universal Forwarder After Install

sdaniels — Mon, 28 Sep 2020 11:45:46 GMT

You will just need to modify your inputs.conf file on the forwarder. See the link below. Also, you can monitor windows remotely via WMI so if it's a small number of servers you could do that rather than installing forwarders on all of your windows servers.

http://docs.splunk.com/Documentation/Splunk/latest/Data/Monitorwindowsdata

OS Logs

[WinEventLog:Application]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog:Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5

[WinEventLog:System]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5

The Splunk App for Windows has configurations already created for you as well. I pulled the above from the inputs.conf file on the Windows app.

http://splunk-base.splunk.com/apps/22315/splunk-app-for-windows

Re: Re-configuring Universal Forwarder After Install

FRoth — Fri, 21 Dec 2012 16:36:21 GMT

My etc\system\local\inputs.conf contains nothing useful.
I configured local Eventlog "Security" and "Forwarded Events".
My Input file contains this:
[default]
host = ZEUS