Hi,
all our UF and HF use the following for the Windows input:
[WinEventLog://Security]
sourcetype=XmlWinEventLog:Security
renderXml=1
...
All UF and the cluster is Splunk 7.2.4.2
I recently installed a few HF and there used the latest Splunk Code: 8.0.2
My 7.* UF arrive with the following source type and source:
XmlWinEventLog:Security XmlWinEventLog
My 8.* HF arrive instead with:
WinEventLog:Security xmlwineventlog
Any Ideas what's going wrong?
I have the Splunk_TA_windows installed on the Search Head which renames all the source types, but that of course applies to all win source types. But it looks like the source type renaming only applies for the HF and it still does not explain why the source is changed as well.
thx
afx
Verify that props.conf on your 8.* HF's is owned by splunk:splunk. Also, any change to props.conf requires cycling the Splunk daemon to take effect.
My 8.* forwarder runs on Windows as local:system.
There is no props.conf for the windows event log on the box. Just an input like on all other windows boxes.
cheers
afx