I'm using the Splunk Universal Forwarders on our Citrix XenApp servers to forward logs to Splunk Enterprise. Besides the default Application, Security, and System logs I've also added AppLocker logs.

What I'm seeing is that the AppLocker logs are working as expected, but the Application, Security, and System logs are not making it to Splunk.

What I think is going on is the AppLocker logs are in the default location (%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-AppLocker%4EXE and DLL.evtx) but because these are Citrix XenApp servers and they PXE boot from Citrix Provisioning Services, any changes to the C: drive do not persist between reboots.

So we've moved the Application, Security, and System logs from the default location on the C: drive to Z:\Event Viewer\ (Z:\Event Viewer\Application.evtx, Z:\Event Viewer\Security.evtx, Z:\Event Viewer\System.evtx). The Z:\ drive is unique for each virtual machine and it's contents persist between reboots.

Would this be the reason my Application, Security, and System logs are not being forwarded to Splunk? Does the inputs.conf file need to be changed in order to get these logs forwarding?

[WinEventLog://Application]
disabled = 0

[WinEventLog://Security]
disabled = 0

[WinEventLog://System]
disabled = 0

[WinEventLog://Microsoft-Windows-AppLocker/EXE and DLL]
disabled = 0
renderXml = 0
evt_resolve_ad_obj = 1

[WinEventLog://Microsoft-Windows-AppLocker/MSI and Script]
disabled = 0
renderXml = 0
evt_resolve_ad_obj = 1

Thanks.