I am after some help to debug why Splunk is not monitoring my external .evtx files.
Currently have the following:
disabled = 0
index = event_collector
sourcetype = WinEventLog
I have tried to debug this using Splunk list inputstatus and I can see that Splunk is reading the file but it is not getting indexed and I am getting output on my tcp stream with the indexer like this:
To monitor Windows event logs, use the form WinEventLog://<name> where <name> is the type of event you want to monitor. Do not specify a .evtx file as <name>. Do not try to use monitor://*.evtx as Splunk cannot read an event log directly like that.
Your best option is to install a Windows add-on (along with a Universal Forwarder) from splunkbase on the system you want to monitor and the enable the desired inputs.
--- If this reply helps you, an upvote would be appreciated.