Getting Data In

How to edit my universal forwarder monitor stanza to index Active Directory server logs?


I am trying to monitor the Active Directory Server for logs. I have a universal forwarder installed on a Windows AD Server, and there are logs at the following path:


How can I monitor it? I have tried the following, but it does not work:

targetDC = hqdc06
baseline = false
disabled = 0
index = wineventlog
Sourcetype = Active Directory
0 Karma

Esteemed Legend

Hi anaqvi,
probably the problem is the slash (/) after %SystemRoot%.
Every way, aren't you able to define %SystemRoot%?


0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...