We are collecting the Security Event Log from Windows 2012 Server which has Universal Forwarder installed, and I found that some of the logs were not sent to Indexer even though UseAck=true.
Is there a anyway to send only the specific logs to Indexer?
Thanks in advance,
UseAck=true should help you prove where the breakdown did/not happen but there is no reason that the forwarding should not normally be reliable. I have some skepticism that "some" events did not make it in, if everything is configured correctly. We need to see your inputs.conf to be sure.
Hi kuga_mbsd, You could perhaps build a WMI query to get specific eventcodes, reviewing the documentation here might help : http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWMIdata#Examples_of_wmi.conf
My next guess would be a script based oneshot gathering the events together as text (xml probably) and indexing the results.
Please let me know if this answers your question! 😄
Thank you for your answers.
Regarding the URL you gave me is pulling the logs on the remote Windows host, is that right?
Unfortunately Indexer doesn't have access to the server since Firewall is blocking.
Do you think if Universal Forwarder will send the only specific logs by executing some commands?
Yup, you can use powershell to retrieve specific eventlogs described in more detail here : https://technet.microsoft.com/en-us/library/hh849834.aspx
Get-EventLog -LogName "*Security*" -Message "*the message you are looking for*"