https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-is-not-collecting-events-on-Forwarded-Folder/m-p/49090#M9329 <P>They fixed the docs on inputs.conf. @rovechikin Should of submitted a change on the docs inputs.conf page to save people the frustration.</P> Wed, 06 Feb 2013 18:51:04 GMT kmjackson788 2013-02-06T18:51:04Z https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-is-not-collecting-events-on-Forwarded-Folder/m-p/49087#M9326 <P>Hi All I am new to Splunk and having some issue...</P> <P>we have a windows 2008r2 server setup as an event collector for windows servers. Event logs from windows server is being forwarded to this server and goes on to "Forwarded Events" folder.</P> <P>Now I installed universal forwarder on this server with only "Forwarded Events Log" selected. When i go to splunk server, I can't see any events coming.</P> <P>if I install with other option selected(e.g. Application Log), I can see application log of that server appearing on splunk server.</P> <P>I was wondering if i am missing something and will appreciate if some one can guide me.</P> <P>Note:- we have decided not to install splunk agents in every server and not to use wmi as the number of windows we have is lot(in hundreds).</P> <P>Thank you in Advance. </P> Fri, 11 May 2012 06:28:59 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-is-not-collecting-events-on-Forwarded-Folder/m-p/49087#M9326 AKG 2012-05-11T06:28:59Z https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-is-not-collecting-events-on-Forwarded-Folder/m-p/49088#M9327 <P>the is a slight bug in default configuration. The issue is that "Forwarded Events" have a space between them, while Windows ForwardedEvents event log doesn't. The workaround is to find all occurrences of "Forwarded Events" in *.conf stanzas and remove space, e.g. <BR /><BR /> Splunk\etc&gt;find /s "Forwarded Events" *.conf <BR /><BR /> inputs.conf: [WinEventLog:Forwarded Events] <BR /></P> <P>replace with [WinEventLog:ForwardedEvents] <BR /><BR /> reboot Splunk.</P> Tue, 22 May 2012 18:20:05 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-is-not-collecting-events-on-Forwarded-Folder/m-p/49088#M9327 rovechkin_splun 2012-05-22T18:20:05Z https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-is-not-collecting-events-on-Forwarded-Folder/m-p/49089#M9328 <P>That fixes it.</P> <P>%SystemRoot%\System32\Winevt\Logs\ForwardedEvents.evtx</P> <P>The space [WinEventLog:Forwarded Events] does not work. Hopefully they fixed the documentation. ( I sent a documentation fix)</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/5.0.1/admin/Inputsconf">http://docs.splunk.com/Documentation/Splunk/5.0.1/admin/Inputsconf</A> </P> <P>I dont have enough credit to upvote the above answer.</P> Wed, 06 Feb 2013 14:39:33 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-is-not-collecting-events-on-Forwarded-Folder/m-p/49089#M9328 kmjackson788 2013-02-06T14:39:33Z https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-is-not-collecting-events-on-Forwarded-Folder/m-p/49090#M9329 <P>They fixed the docs on inputs.conf. @rovechikin Should of submitted a change on the docs inputs.conf page to save people the frustration.</P> Wed, 06 Feb 2013 18:51:04 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-is-not-collecting-events-on-Forwarded-Folder/m-p/49090#M9329 kmjackson788 2013-02-06T18:51:04Z