All Apps and Add-ons

Splunk Add-on for Microsoft Windows: Windows 2012 Event Log Universal Forwarder Defaults - Linux indexer only sees WinEventLog:Setup

Explorer

I have installed the Universal Forwarder on a Windows 2012 Workgroup Server.
I installed selecting all the Eventlog sources.
It is forwarding events across the wire to an indexer running on Linux. This is verified by examining a packet capture in Wireshark.
The Indexer only seems to be processing data for the WinEventLog:Setup sourcetype. I installed the SplunkTAwindows Add-on. Everything is at the default settings. I'm not certain why the Indexer is only choosing to process this Windows Eventlog sourcetype. Like I indicated, everything is at the defaul settings, so I would assume all Eventlog data would get ingested.
How do I go about testing?

Splunk Version 6.2.2 Splunk Build 255606
splunkforwarder-6.2.2-255606-x64-release
SplunkTAwindows 4.7.5 Windows Add-on

@davparker, are you still around? I need assistance with my AC88U!

0 Karma

Explorer

Update:
The following directory didn't exist on the indexer so I created it.
/opt/splunk/etc/apps/SplunkTAwindows/local
I copied inputs.conf over to the local dir then modified like so:

OS Logs

[WinEventLog://Application]
disabled = 0

start_from = oldest

current_only = 1
checkpointInterval = 5
index = wineventlog
renderXml=false

[WinEventLog://Security]
disabled = 0

start_from = oldest

currentonly = 1
evt
resolveadobj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
index = wineventlog
renderXml=false

[WinEventLog://System]
disabled = 0

start_from = oldest

current_only = 1
checkpointInterval = 5
index = wineventlog
renderXml=false

Apparently for some reason the default is disabled. But even after enabling and restarting Splunk, no other even sources than WinEventLog:Setup get processed. So either the placement of the inputs.conf file is wrong, or there is some other issuje.

Thanks,
David

0 Karma