Deployment Architecture

Splunk Universal Forwarder command line install results in no windows event logs but manual GUI installation does?

brianhunter99
New Member

It's not the current version, but due to multiple reasons in my environment we are still running Splunk Enterprise r6.3.0. This has worked fine with Splunk Universal Forwarder versions 6.3.0, 6.3.11, 6.3.13, and 6.5.9, on windows 10 and windows 2012r2 server. However that's when we install the UF using the msi invoked GUI, with all the windows event log boxes checked so that we get event logs forwarded to the indexer. But now, I need to install the UF by invoking a command line. So, I've used the following command below to install. The results are that the UF is installed, perfmon is forwarded, but not windows event logs.
I've read through a number of community answers, the installation doc and searched on google, but can't seem to find anything indicating that there's an issue with setting up forwarding for windows event logs when installing by command line. Would anyone have a suggestion? Am I missing something with the command line invocation?

Note: The following executed as administrator, and running with the default user of Local System. And yes, the ports the port numbers are the same used when doing a manual GUI install. Again, perfmon is being forwarded. Also, you see this is 6.5.9, but I've also tried this with the 6.3.13 installer msi.

msiexec.exe /i splunkforwarder-6.5.9-eb980bc2467e-x64-release.msi AGREETOLICENSE=Yes RECEIVING_INDEXER="SPLUNKENTERPRISE_FDQN:9997" DEPLOYMENT_SERVER="SPLUNKENTERPRISE_FDQN:8089" WINEVENTLOG_APP_ENABLE=1 WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 WINEVENTLOG_FWD_ENABLE=1 WINEVENTLOG_SET_ENABLE=1 PERFMON=cpu,memory,network,diskspace /quiet

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...