Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Universal Forwarder Install - Doesn't Forward System or Security Logs

mwilhide
New Member
‎03-07-2013 12:35 PM

Hello,

I installed the Universal Forwarder v4.3.5 on a Windows 7 system, and during the install I checked off the boxes to monitor the Application, Security, and System event logs. When the installation was complete I checked out my Splunk Indexer, and noticed that only the Application log was being forwarded.

I checked out my $SPLUNK_HOME\etc\system\local\inputs.conf file, and all it contained was:

[default]
host = my_host
[script://$SPLUNK_HOME\bin\scripts\splunk-perfmon.path]
disabled = 0

I had to manually add:

[WinEventLog:Application]
disabled = 0
[WinEventLog:Security]
disabled = 0
[WinEventLog:System]
disabled = 0

to get the logs to show up on my Indexer. Is there a reason why the Universal Forwarder isn't doing this when I select those options during the install?

Thank you!

Tags (1)
0 Karma
Reply

Ayn
Legend
‎03-07-2013 01:02 PM

Splunk configuration files can reside in a number of different places. In the case of the settings that are created when you install a Universal Forwarder, they reside in an app called "MSICreated" (iirc). The app in turn resides under $SPLUNK_HOME\etc\apps.

0 Karma
Reply

Ayn
Legend
‎03-07-2013 01:27 PM

That conf file looks correct, yes. I'm afraid I can't say anything about why the events weren't picked up to begin with.

0 Karma
Reply

mwilhide
New Member
‎03-07-2013 01:07 PM

Interesting, thanks for the info. I just checked that inputs.conf file, and this is what it looks like:
[WinEventLog:Application]
disabled = 0
[WinEventLog:ForwardedEvents]
[WinEventLog:HardwareEvents]
[WinEventLog:Internet Explorer]
[WinEventLog:Security]
disabled = 0
[WinEventLog:Setup]
[WinEventLog:System]
disabled = 0

I wonder why I had to modify the \etc\system\local\inputs.conf file in order to get everything working? The inputs.conf file in \etc\apps directory looks like it should have forwarded events like I wanted.

Thanks for your response!

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...