Hello,
I installed the Universal Forwarder v4.3.5 on a Windows 7 system, and during the install I checked off the boxes to monitor the Application, Security, and System event logs. When the installation was complete I checked out my Splunk Indexer, and noticed that only the Application log was being forwarded.
I checked out my $SPLUNK_HOME\etc\system\local\inputs.conf
file, and all it contained was:
[default]
host = my_host
[script://$SPLUNK_HOME\bin\scripts\splunk-perfmon.path]
disabled = 0
I had to manually add:
[WinEventLog:Application]
disabled = 0
[WinEventLog:Security]
disabled = 0
[WinEventLog:System]
disabled = 0
to get the logs to show up on my Indexer. Is there a reason why the Universal Forwarder isn't doing this when I select those options during the install?
Thank you!
Splunk configuration files can reside in a number of different places. In the case of the settings that are created when you install a Universal Forwarder, they reside in an app called "MSICreated" (iirc). The app in turn resides under $SPLUNK_HOME\etc\apps
.
That conf file looks correct, yes. I'm afraid I can't say anything about why the events weren't picked up to begin with.
Interesting, thanks for the info. I just checked that inputs.conf file, and this is what it looks like:
[WinEventLog:Application]
disabled = 0
[WinEventLog:ForwardedEvents]
[WinEventLog:HardwareEvents]
[WinEventLog:Internet Explorer]
[WinEventLog:Security]
disabled = 0
[WinEventLog:Setup]
[WinEventLog:System]
disabled = 0
I wonder why I had to modify the \etc\system\local\inputs.conf
file in order to get everything working? The inputs.conf file in \etc\apps
directory looks like it should have forwarded events like I wanted.
Thanks for your response!