Getting Data In

How to forward Windows 2003 logs

New Member

New to Splunk, I am trying to get logs forwarded from a 2003 server that we have, but having no luck.
I installed a legacy version of the universal forwarder.
I modified the input.conf file to have the correct hostname:

host = fax

Windows platform specific input processor.

disabled = 0 

disabled = 0 

disabled = 0 

This didn't work, so I got the name/path of the log and tried this:


This also didn't work. I'm still new to Splunk(2 weeks in) so I apologize if this is an easy one, but does anyone have any suggestions? I haven't been able to find any documentation online about how to configure the input.conf file in 2003 to point to the logs.

Kevin Baker

0 Karma


Could you share the outputs.conf configured?

0 Karma


You might check to see if the UF is making a good connection with your indexer first:

*After running splunk add forward-server, the forwarder should be communicating with the indexer
– Splunk forwarder logs are automatically sent to the indexer's _internal index

• To check for successful connection from the indexer:
– In the GUI, search index=_internal host=forwarder_hostname
– From CLI, run splunk display listen
• On the forwarder:
– To view current forwarder to indexer configuration, run splunk list forward-server*

0 Karma

New Member

Thanks for the tip. I was able to get it communicating. I had originally set up an input for UDP:9997 where the outputs.conf was trying TCP. I changed it to TCP9998 and then created an input for that port and now its atleast sending something. Im not sure what log this is but it doesnt seem to be sending the correct logs through. Heres an example:


I have a number of those, but nothing that looks like a normal windows event log.

When I created the input for the TCP:9998 input, I selected the sourcetype as WinEventLog:Security.


0 Karma

New Member

Here is the output.conf file:

defaultGroup = default-autolb-group

server =


0 Karma


Have you enabled the listening port 9997 on the indexer Also, verify connectivity between your Universal forwarder and Indexer on port 9997.


0 Karma
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...