I configured Universal forwarder to push the windows event logs ( adfs logs ) to main splunk server.
Can anyone help me how to configure the application and indexer.
Thanks in advance
A little more information would be helpful .... what app, what index, what specifically do you need help with? You might want to take a look at the Splunk App for Active Directory (http://splunk-base.splunk.com/apps/51338/splunk-app-for-active-directory) as it will do most of the configuration for you.
I specified like this
disabled = 0
index = myIndex
All the security logs start moving to the specified index.
Now the problem is... I want to filter the security logs before pushing to the server. Like I want to push only the logs having SourceName=AD FS 2.0 Auditing
It sounds like you were already configured the forwarder to push ADFS logs (which means you configured an inputs.conf file to monitor a directory). In that inputs.conf add index=myIndex and you should be good. there can be multiple inputs.conf files on a forwarder, so you could have configured it in a number of places.
To specify the index you want an input to go to just add:
to the monitor stanza in your inputs.conf (on the forwarder).
I don't believe Splunk for AD supports ADFS logs specifically.
In splunk web we can add new application ( say myApp ) right. And I created new index as well ( called myIndex). And the in our application server I installed unversal forwarder and configured to push adfs logs. Logs are moving to main index.