Is it possible to add to the splunk forwarder via the command line items from Windows Event viewer? I know we can update inputs.conf but is it possible via the command line?
If it is possible, shouldn't monitored event log items show up when you list monitored items?
splunk list monitor
Doesn't display event log items. Thanks
edit C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf and add:
[WinEventLog://Application] disabled = 0 [WinEventLog://Security] disabled = 0 [WinEventLog://System] disabled = 0 [WinEventLog://DNS Server] disabled = 0
Then restart the windows service for the universal forwarder to re-read the changes.
Monitored Event Log Collections: localhost disabled:1 hosts:localhost index:default logs: Application ForwardedEvents HardwareEvents Internet Explorer Security Setup System
Just got the above as the result of
C:\Program Files\SplunkUniversalForwarder\bin>splunk list eventlog
how to enable the log monitor ?
Those don't show up in
splunk list monitor because a Windows event log entry looks like this:
rather than this:
Hence they're not
monitor type stanzas.