Getting Data In
Highlighted

Does the Universal forwarder collect historical windows event logs?

Explorer

I have installed the UF on a number of servers and I configured ti to monitor the winodws event logs (Application, System, Security). It looks like the UF has only picked up the event logs starting from when it was installed. Is there a way to tell the UF to ingest all of the event logs from the past?

0 Karma
Highlighted

Re: Does the Universal forwarder collect historical windows event logs?

Ultra Champion

Did you change the start_from and/or current_only settings in inputs.conf for those wineventlog inputs? Please share the relevant inputs.conf code.

Given the default settings, both of those should be 0, resulting in Splunk also reading existing events if I'm not mistaken.

0 Karma
Highlighted

Re: Does the Universal forwarder collect historical windows event logs?

Explorer

Here is my input. I did not specify either of the settings you mentioned. Is the default behavior of the UF to only ingest new data from after it is installed?
[WinEventLog://Security]
disabled = 0
index = wineventlog

[WinEventLog://Application]
disabled = 0
index = wineventlog

[WinEventLog://secRMM]
disabled = 0
index = wineventlog

[WinEventLog://ForwardedEvents]
disabled = 0
index = wineventlog

[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = 0
index = wineventlog


[WinEventLog://Microsoft-Windows-Powershell/Operational]
disabled = 0
index = wineventlog
0 Karma
Highlighted

Re: Does the Universal forwarder collect historical windows event logs?

New Member

did you solve that?

0 Karma