I have installed the Universal Forwarder on a Windows 2012 Workgroup Server.
I installed selecting all the Eventlog sources.
It is forwarding events across the wire to an indexer running on Linux. This is verified by examining a packet capture in Wireshark.
The Indexer only seems to be processing data for the WinEventLog:Setup sourcetype. I installed the Splunk_TA_windows Add-on. Everything is at the default settings. I'm not certain why the Indexer is only choosing to process this Windows Eventlog sourcetype. Like I indicated, everything is at the defaul settings, so I would assume all Eventlog data would get ingested.
How do I go about testing?
Splunk Version 6.2.2 Splunk Build 255606
splunkforwarder-6.2.2-255606-x64-release
Splunk_TA_windows 4.7.5 Windows Add-on
@davparker, are you still around? I need assistance with my AC88U!
Update:
The following directory didn't exist on the indexer so I created it.
/opt/splunk/etc/apps/Splunk_TA_windows/local
I copied inputs.conf over to the local dir then modified like so:
[WinEventLog://Application]
disabled = 0
current_only = 1
checkpointInterval = 5
index = wineventlog
renderXml=false
[WinEventLog://Security]
disabled = 0
current_only = 1
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
index = wineventlog
renderXml=false
[WinEventLog://System]
disabled = 0
current_only = 1
checkpointInterval = 5
index = wineventlog
renderXml=false
Apparently for some reason the default is disabled. But even after enabling and restarting Splunk, no other even sources than WinEventLog:Setup get processed. So either the placement of the inputs.conf file is wrong, or there is some other issuje.
Thanks,
David