Solved: Universal Forwarder Not Forwarding Windows Event L...

itsomana · ‎10-20-2011

I have just installed a Universal forwarder on a windows server and during the installation I selected the option to index windows event logs and performance logs.

I have checked splunk and can see it indexing performance logs, however it is not indexing the windows event logs. I can see these logs set-up in the following location.

C:\Program Files\SplunkUniversalForwarder\etc\apps\MSICreated\local\inputs.conf

As it is a windows server, do I need to copy in a windows folder where the inputs.conf file can be updated in window\local folder

JSapienza · ‎10-20-2011

No you shouldn't need to copy anything if the stanza's are properly enabled in the inputs.conf such as:

[WinEventLog:Application]

disabled = false

[WinEventLog:Security]

disabled = false

[WinEventLog:System]

disabled = false

Have you viewed the splunkd.log
Open the %SPLUNK_HOME%\var\log\splunk\splunkd.log file and search for wmi or error .

View solution in original post

JSapienza · ‎10-20-2011

No you shouldn't need to copy anything if the stanza's are properly enabled in the inputs.conf such as:

[WinEventLog:Application]

disabled = false

[WinEventLog:Security]

disabled = false

[WinEventLog:System]

disabled = false

Have you viewed the splunkd.log
Open the %SPLUNK_HOME%\var\log\splunk\splunkd.log file and search for wmi or error .

Universal Forwarder Not Forwarding Windows Event Logs

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor