Hello,
I installed a Universal Forwarder(UF) in a Windows servers box, I didn't select the customize options, I only did next and only specified my deployer, now after I am done, I would like to tell the windows servers that I only need Windows Security Logs (from the event viewer) to be forwarded to my Splunk instance, how do i do that? how do I change that?
Thank you!
Look for inputs.conf in your Universal Forwarder. ($SPLUNK_HOME/etc/apps, should be under some app). The inputs.conf file (there can be many, find one which has [WinEventLog:....
type stanza). You can say disabled = 1
for all entries which you want to disable. Just keep disabled =0
for [WinEventLog:Security]
stanza.
Look for inputs.conf in your Universal Forwarder. ($SPLUNK_HOME/etc/apps, should be under some app). The inputs.conf file (there can be many, find one which has [WinEventLog:....
type stanza). You can say disabled = 1
for all entries which you want to disable. Just keep disabled =0
for [WinEventLog:Security]
stanza.
This worked! thank you very much!