Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Universal Forwarder Install - Doesn't Forward System or Security Logs

mwilhide
New Member
‎03-07-2013 12:35 PM

Hello,

I installed the Universal Forwarder v4.3.5 on a Windows 7 system, and during the install I checked off the boxes to monitor the Application, Security, and System event logs. When the installation was complete I checked out my Splunk Indexer, and noticed that only the Application log was being forwarded.

I checked out my $SPLUNK_HOME\etc\system\local\inputs.conf file, and all it contained was:

[default]
host = my_host
[script://$SPLUNK_HOME\bin\scripts\splunk-perfmon.path]
disabled = 0

I had to manually add:

[WinEventLog:Application]
disabled = 0
[WinEventLog:Security]
disabled = 0
[WinEventLog:System]
disabled = 0

to get the logs to show up on my Indexer. Is there a reason why the Universal Forwarder isn't doing this when I select those options during the install?

Thank you!

Tags (1)
0 Karma
Reply

Ayn
Legend
‎03-07-2013 01:02 PM

Splunk configuration files can reside in a number of different places. In the case of the settings that are created when you install a Universal Forwarder, they reside in an app called "MSICreated" (iirc). The app in turn resides under $SPLUNK_HOME\etc\apps.

0 Karma
Reply

Ayn
Legend
‎03-07-2013 01:27 PM

That conf file looks correct, yes. I'm afraid I can't say anything about why the events weren't picked up to begin with.

0 Karma
Reply

mwilhide
New Member
‎03-07-2013 01:07 PM

Interesting, thanks for the info. I just checked that inputs.conf file, and this is what it looks like:
[WinEventLog:Application]
disabled = 0
[WinEventLog:ForwardedEvents]
[WinEventLog:HardwareEvents]
[WinEventLog:Internet Explorer]
[WinEventLog:Security]
disabled = 0
[WinEventLog:Setup]
[WinEventLog:System]
disabled = 0

I wonder why I had to modify the \etc\system\local\inputs.conf file in order to get everything working? The inputs.conf file in \etc\apps directory looks like it should have forwarded events like I wanted.

Thanks for your response!

0 Karma
Reply
Get Updates on the Splunk Community!

Cisco Catalyst Center Meets Splunk ITSI: From 'Payments Are Down' to Root Cause in ...

The Problem: When Networks and Services Don't Talk Payment systems fail at a retail location. Customers are ...

Print, Leak, Repeat: UEBA Insider Threats You Can't Ignore

Are you ready to uncover the threats hiding in plain sight? Join us for "Print, Leak, Repeat: UEBA Insider ...

New Year, New Changes for Splunk Certifications

As we embrace a new year, we’re making a small but important update to the Splunk Certification ...