This is the inputs from the app I created for the windows logs:
[WinEventLog://Application]
index = replicate3
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=0
[WinEventLog://Security]
index = replicate3
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
renderXml=0
[WinEventLog://System]
index = replicate3
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=0
I created a special index for it, but it is not getting any results. I also have sent over the splunk TA for windows logs, but still nothing is coming in. The index was created successfully and the apps show on the client. What else am I missing.