I've got a universal forwarder and I'm trying to monitor
C:\Windows\System32\winevt\Logs. I've tried 2 solutions: CLI and Inputs.conf.
Splunk add monitor C:\Windows\System32\winevt\Logs
[monitor://C:\Windows\System32\winevt\Logs] disabled = 0
Both solutions are not working and I've tried a combination of the two. Am I missing a step? Are there anyways to troubleshoot this so I can get a clear picture of whats happening ( in this case, not happening)?
This one doesn't seem to be working as well. I've also made sure that the index is created in the Indexer.
I tried putting the path in
$SPLUNK_HOME/etc/app/ and it worked but it doesn't monitor the logs in real-time and it seems to only get the logs once.
The logs that I was trying to monitor is a Windows Event Log which monitor stanza can't monitor dynamically. To monitor Windows event log you have to use the stanza [WinEventLog]. See this documentation for more details: