I am trying to monitor the Active Directory Server for logs. I have a universal forwarder installed on a Windows AD Server, and there are logs at the following path:
How can I monitor it? I have tried the following, but it does not work:
targetDC = hqdc06
baseline = false
disabled = 0
index = wineventlog
Sourcetype = Active Directory
probably the problem is the slash (/) after %SystemRoot%.
Every way, aren't you able to define %SystemRoot%?