All Apps and Add-ons

Splunk Add-on for Microsoft Windows: Windows 2012 Event Log Universal Forwarder Defaults - Linux indexer only sees WinEventLog:Setup

davparker
Explorer

I have installed the Universal Forwarder on a Windows 2012 Workgroup Server.
I installed selecting all the Eventlog sources.
It is forwarding events across the wire to an indexer running on Linux. This is verified by examining a packet capture in Wireshark.
The Indexer only seems to be processing data for the WinEventLog:Setup sourcetype. I installed the Splunk_TA_windows Add-on. Everything is at the default settings. I'm not certain why the Indexer is only choosing to process this Windows Eventlog sourcetype. Like I indicated, everything is at the defaul settings, so I would assume all Eventlog data would get ingested.
How do I go about testing?

Splunk Version 6.2.2 Splunk Build 255606
splunkforwarder-6.2.2-255606-x64-release
Splunk_TA_windows 4.7.5 Windows Add-on

kpoindexterjr
Engager

@davparker, are you still around? I need assistance with my AC88U!

0 Karma

davparker
Explorer

Update:
The following directory didn't exist on the indexer so I created it.
/opt/splunk/etc/apps/Splunk_TA_windows/local
I copied inputs.conf over to the local dir then modified like so:

OS Logs

[WinEventLog://Application]
disabled = 0

start_from = oldest

current_only = 1
checkpointInterval = 5
index = wineventlog
renderXml=false

[WinEventLog://Security]
disabled = 0

start_from = oldest

current_only = 1
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
index = wineventlog
renderXml=false

[WinEventLog://System]
disabled = 0

start_from = oldest

current_only = 1
checkpointInterval = 5
index = wineventlog
renderXml=false

Apparently for some reason the default is disabled. But even after enabling and restarting Splunk, no other even sources than WinEventLog:Setup get processed. So either the placement of the inputs.conf file is wrong, or there is some other issuje.

Thanks,
David

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...