Getting Data In

How to forward Windows 2003 logs

New Member

New to Splunk, I am trying to get logs forwarded from a 2003 server that we have, but having no luck.
I installed a legacy version of the universal forwarder.
I modified the input.conf file to have the correct hostname:

host = fax

Windows platform specific input processor.

disabled = 0 

disabled = 0 

disabled = 0 

This didn't work, so I got the name/path of the log and tried this:


This also didn't work. I'm still new to Splunk(2 weeks in) so I apologize if this is an easy one, but does anyone have any suggestions? I haven't been able to find any documentation online about how to configure the input.conf file in 2003 to point to the logs.

Kevin Baker

0 Karma


Could you share the outputs.conf configured?

0 Karma


You might check to see if the UF is making a good connection with your indexer first:

*After running splunk add forward-server, the forwarder should be communicating with the indexer
– Splunk forwarder logs are automatically sent to the indexer's _internal index

• To check for successful connection from the indexer:
– In the GUI, search index=_internal host=forwarder_hostname
– From CLI, run splunk display listen
• On the forwarder:
– To view current forwarder to indexer configuration, run splunk list forward-server*

0 Karma

New Member

Thanks for the tip. I was able to get it communicating. I had originally set up an input for UDP:9997 where the outputs.conf was trying TCP. I changed it to TCP9998 and then created an input for that port and now its atleast sending something. Im not sure what log this is but it doesnt seem to be sending the correct logs through. Heres an example:


I have a number of those, but nothing that looks like a normal windows event log.

When I created the input for the TCP:9998 input, I selected the sourcetype as WinEventLog:Security.


0 Karma

New Member

Here is the output.conf file:

defaultGroup = default-autolb-group

server =


0 Karma


Have you enabled the listening port 9997 on the indexer Also, verify connectivity between your Universal forwarder and Indexer on port 9997.


0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...