https://community.splunk.com/t5/Getting-Data-In/WinEventLog-question/m-p/370026#M92879 <P>Hi santiagn,<BR /> if you want to ingest Windows Event Logs the easiest way is to install on Forwarder Splunk_TA_Windows, enabling only stanzas that you want.</P> <P>Anyway, in your inputs.conf there isn't any index so try inserting in your search <CODE>index=main</CODE></P> <P>If there still aren't any logs, verify if your indexer receives logs from the forwarder using this search <CODE>index=_internal host=your_host</CODE><BR /> In this way you verify if your forwarder is correctly connected to Indexer.</P> <P>If not, verify firewalls ans outputs.conf in your forwarder.<BR /> If you have _internal logs, verify that forwarder and indexer are time aligned and that Windows on forwarder create logs (verify policies).</P> <P>Bye.<BR /> Giuseppe</P> Tue, 29 Sep 2020 14:38:46 GMT gcusello 2020-09-29T14:38:46Z https://community.splunk.com/t5/Getting-Data-In/WinEventLog-question/m-p/370025#M92878 <P>hi</P> <P>i added the below to my inputs.conf and restarted the forwarder service but when i search my host it still does not return any wineventlogs. am i missing something or doing something wrong?</P> <P>[WinEventLog://Application]<BR /> disabled = 0</P> <P>[WinEventLog://Security]<BR /> disabled = 0</P> <P>[WinEventLog://System]<BR /> disabled = 0</P> Fri, 23 Jun 2017 15:13:41 GMT https://community.splunk.com/t5/Getting-Data-In/WinEventLog-question/m-p/370025#M92878 santiagn 2017-06-23T15:13:41Z https://community.splunk.com/t5/Getting-Data-In/WinEventLog-question/m-p/370026#M92879 <P>Hi santiagn,<BR /> if you want to ingest Windows Event Logs the easiest way is to install on Forwarder Splunk_TA_Windows, enabling only stanzas that you want.</P> <P>Anyway, in your inputs.conf there isn't any index so try inserting in your search <CODE>index=main</CODE></P> <P>If there still aren't any logs, verify if your indexer receives logs from the forwarder using this search <CODE>index=_internal host=your_host</CODE><BR /> In this way you verify if your forwarder is correctly connected to Indexer.</P> <P>If not, verify firewalls ans outputs.conf in your forwarder.<BR /> If you have _internal logs, verify that forwarder and indexer are time aligned and that Windows on forwarder create logs (verify policies).</P> <P>Bye.<BR /> Giuseppe</P> Tue, 29 Sep 2020 14:38:46 GMT https://community.splunk.com/t5/Getting-Data-In/WinEventLog-question/m-p/370026#M92879 gcusello 2020-09-29T14:38:46Z https://community.splunk.com/t5/Getting-Data-In/WinEventLog-question/m-p/370027#M92880 <P>I have been facing the same issue. Check to make sure your ports are allowed to send data. </P> <P>go to the Windows Firewall with Advanced Security and check the inbound rules. look for the port your host is on. if it isn't there, add a rule for it, and see if that fixes any issues.</P> Fri, 23 Jun 2017 15:24:31 GMT https://community.splunk.com/t5/Getting-Data-In/WinEventLog-question/m-p/370027#M92880 cmerriman 2017-06-23T15:24:31Z https://community.splunk.com/t5/Getting-Data-In/WinEventLog-question/m-p/370028#M92881 <P>adding index=main made it work. </P> <P>thanks so much!</P> Fri, 23 Jun 2017 15:28:37 GMT https://community.splunk.com/t5/Getting-Data-In/WinEventLog-question/m-p/370028#M92881 santiagn 2017-06-23T15:28:37Z https://community.splunk.com/t5/Getting-Data-In/WinEventLog-question/m-p/370029#M92882 <P>thanks! but i should've mentioned that i have cpu load and avail memory already working just the wineventlog stanza wasn't. </P> Fri, 23 Jun 2017 15:29:40 GMT https://community.splunk.com/t5/Getting-Data-In/WinEventLog-question/m-p/370029#M92882 santiagn 2017-06-23T15:29:40Z