Getting Data In

How to edit my universal forwarder monitor stanza to index Active Directory server logs?

anaqvi
Explorer

I am trying to monitor the Active Directory Server for logs. I have a universal forwarder installed on a Windows AD Server, and there are logs at the following path:

%SystemRoot%\System32\Winevt\Logs\

How can I monitor it? I have tried the following, but it does not work:

[monitor://%SystemRoot%/System32\Winevt\Logs]
targetDC = hqdc06
baseline = false
disabled = 0
index = wineventlog
renderXml=false
Sourcetype = Active Directory
0 Karma

gcusello
Esteemed Legend

Hi anaqvi,
probably the problem is the slash (/) after %SystemRoot%.
Every way, aren't you able to define %SystemRoot%?

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...