All Apps and Add-ons

Splunk Add-on for Microsoft Windows: Windows 2012 Event Log Universal Forwarder Defaults - Linux indexer only sees WinEventLog:Setup

davparker
Explorer

I have installed the Universal Forwarder on a Windows 2012 Workgroup Server.
I installed selecting all the Eventlog sources.
It is forwarding events across the wire to an indexer running on Linux. This is verified by examining a packet capture in Wireshark.
The Indexer only seems to be processing data for the WinEventLog:Setup sourcetype. I installed the Splunk_TA_windows Add-on. Everything is at the default settings. I'm not certain why the Indexer is only choosing to process this Windows Eventlog sourcetype. Like I indicated, everything is at the defaul settings, so I would assume all Eventlog data would get ingested.
How do I go about testing?

Splunk Version 6.2.2 Splunk Build 255606
splunkforwarder-6.2.2-255606-x64-release
Splunk_TA_windows 4.7.5 Windows Add-on

kpoindexterjr
Engager

@davparker, are you still around? I need assistance with my AC88U!

0 Karma

davparker
Explorer

Update:
The following directory didn't exist on the indexer so I created it.
/opt/splunk/etc/apps/Splunk_TA_windows/local
I copied inputs.conf over to the local dir then modified like so:

OS Logs

[WinEventLog://Application]
disabled = 0

start_from = oldest

current_only = 1
checkpointInterval = 5
index = wineventlog
renderXml=false

[WinEventLog://Security]
disabled = 0

start_from = oldest

current_only = 1
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
index = wineventlog
renderXml=false

[WinEventLog://System]
disabled = 0

start_from = oldest

current_only = 1
checkpointInterval = 5
index = wineventlog
renderXml=false

Apparently for some reason the default is disabled. But even after enabling and restarting Splunk, no other even sources than WinEventLog:Setup get processed. So either the placement of the inputs.conf file is wrong, or there is some other issuje.

Thanks,
David

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...