Solved: Re: Universal Forwarder Not Forwarding Windows Eve...

itsomana · ‎10-20-2011

I have just installed a Universal forwarder on a windows server and during the installation I selected the option to index windows event logs and performance logs.

I have checked splunk and can see it indexing performance logs, however it is not indexing the windows event logs. I can see these logs set-up in the following location.

C:\Program Files\SplunkUniversalForwarder\etc\apps\MSICreated\local\inputs.conf

As it is a windows server, do I need to copy in a windows folder where the inputs.conf file can be updated in window\local folder

JSapienza · ‎10-20-2011

No you shouldn't need to copy anything if the stanza's are properly enabled in the inputs.conf such as:

[WinEventLog:Application]

disabled = false

[WinEventLog:Security]

disabled = false

[WinEventLog:System]

disabled = false

Have you viewed the splunkd.log
Open the %SPLUNK_HOME%\var\log\splunk\splunkd.log file and search for wmi or error .

View solution in original post

JSapienza · ‎10-20-2011

No you shouldn't need to copy anything if the stanza's are properly enabled in the inputs.conf such as:

[WinEventLog:Application]

disabled = false

[WinEventLog:Security]

disabled = false

[WinEventLog:System]

disabled = false

Have you viewed the splunkd.log
Open the %SPLUNK_HOME%\var\log\splunk\splunkd.log file and search for wmi or error .

Universal Forwarder Not Forwarding Windows Event Logs

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

New Release | Splunk Cloud Platform 10.1.2507

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

Are you a member of the Splunk Community?

Universal Forwarder Not Forwarding Windows Event Logs

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

New Release | Splunk Cloud Platform 10.1.2507

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2