Hi Guys,
I have installed universal forwarder on Print server, Windows Server 2012 R2 and configured the receiver IP and Port on it.
On the Splunk deployment server, I tried to configure Windows Event Logs (Collect event logs from forwarders.) under Data Inputs however I don't see PrinterServer logs.
Screenshot: https://imgur.com/mEj1Kp5
I have configured the inputs.conf under local directory with the following and restarted the splunkuniversalforwarder service
[default]
host = PrintServer2012
[WinEventLog://Microsoft-Windows-PrintService/Operational]
disabled = 0
renderXml = 1
checkpointInterval = 5
evt_resolve_ad_obj = 1
start_from = newest
# only index events with these event IDs.
whitelist = 307,805
Any ideas how to get the logs into the Splunk?
Ok, I can see the data in the splunk server however i didn't explicitly added it under data>inputs.
Is there any ways to verify which forwarders are forwarding which sort of data?
Any splunk master
I would create a new index name call winprinmon and the specify it in in the input file. Also make sure you enable have enable Microsoft-Windows-PrintService/Operational in Windows Event Viewer and configure GP under computer configuration> admin templates> Printers> Allow job name in event logs to enable. To see files name being printing.
[WinEventLog://Microsoft-Windows-PrintService/Operational]
disabled = 0
renderXml = 1
checkpointInterval = 5
evt_resolve_ad_obj = 1
start_from = newest
# only index events with these event IDs.
whitelist = 307,805
index=winprinmon