Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How do I monitor Forwarded Events logs on Windows?

ericlarsen
Path Finder
‎09-21-2016 09:51 AM

I'm trying to monitor Forwarded Events logs on Windows (not application, system, etc.)?

My inputs.conf stanza looks like this:

[WinEventLog://Forwarded Events]

Doesn't seem to work. Anyone had success monitoring this type of event log?

Any help would be much appreciated.
Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

TStrauch
Communicator
‎09-21-2016 11:49 AM

Hi ericlarsen,

just try this. Ignore the Space between "Forwarded Events".

[WinEventLog://ForwardedEvents]
index= YOUR_INDEX
disabled = 0

regards

View solution in original post

Reply
Solved! Jump to solution
Solution

TStrauch
Communicator
‎09-21-2016 11:49 AM

Hi ericlarsen,

just try this. Ignore the Space between "Forwarded Events".

[WinEventLog://ForwardedEvents]
index= YOUR_INDEX
disabled = 0

regards

Reply
Solved! Jump to solution

ericlarsen
Path Finder
‎09-22-2016 03:58 AM

Unfortunately that did not fix the issue.

0 Karma
Reply
Solved! Jump to solution

TStrauch
Communicator
‎09-22-2016 04:31 AM

Then you have a problem on any other place.

Example from the official inputs.conf documentation of Splunk.

Monitor Windows event logs ForwardedEvents, this time only gathering the
events happening after first starting to monitor, going forward in time.

[WinEventLog://ForwardedEvents]
disabled = 0
start_from = oldest
current_only = 1
batch_size = 10
checkpointInterval = 5

ignoring the extra parameter this is the right stanza for the inputs.conf.

0 Karma
Reply
Solved! Jump to solution

ericlarsen
Path Finder
‎09-22-2016 12:39 PM

Not sure why, but it works now. Thanks!

0 Karma
Reply
Solved! Jump to solution

ericlarsen
Path Finder
‎09-23-2016 09:22 AM

For those curious, I figured out why it just started suddenly working. I didn't have 'Restart Splunk' selected for the app on the Deployment Manager.

Again, TStrauch, thanks for the help with the monitor stanza.

Reply
Solved! Jump to solution

ericlarsen
Path Finder
‎09-21-2016 10:22 AM

I don't want to monitor System event logs, I want to monitor Forwarded Events event logs.

alt text

I know the UF is working because I can search other data from the same server.

Preview file
6 KB
0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎09-21-2016 10:14 AM

Try adding the sourcetype and index in the stanza so it looks like this.. 

[WinEventLog://System]
index = YOUR_INDEX
sourcetype = winEventLogs

Also, do you have the outputs.conf pointing to your indexer?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...