I installed the Universal Forwarder using the MSI, specified server info, but didn't check any boxes for wineventlog and such. I can see the PC checking in on the Splunk server, but it's not receiving any data. This is my ...\etc\system\local\inputs.conf
[default] host = PBDC-LT-16 [WinEventLog:System] interval=60 index=wineventlog disabled=0 [WinEventLog:Security] interval=60 index=wineventlog disabled=0 [WinEventLog:Application] interval=60 index=wineventlog disabled=0
Very nice, I didn't realize this was an option. However, it's a bit light. The config files have far more options to configure, and I can't determine how to do that.
Again, I have followed that. I have changed /etc/system/local/inputs.conf to the config shown above, on the local forwarder. I restarted the Splunk Forwarder service, and did not see any change.
outputs.conf pointing to your indexer? Did you restart the Splunk web service after making these changes?
Yep, outputs.conf is fine. The inputs.conf file I'm referencing here is on the forwarder, not the server. Why would I restart the server?
Here's a similar situation on Answers that might help resolve your issue:
In particular "Have you opened the port on your Splunk indexer to receive data from the forwarder? I would try doing a tcpdump/netstat to see if data is leaving the Windows box and/or being received on the Splunk Indexer."
If I configure Splunk server to get the data, it works. I'm feeling it's just wrong config rather than ports or firewalls. I'll take a look though.