Solved: Re: Universal Forwarder Not Forwarding Windows Eve...

itsomana · ‎10-20-2011

I have just installed a Universal forwarder on a windows server and during the installation I selected the option to index windows event logs and performance logs.

I have checked splunk and can see it indexing performance logs, however it is not indexing the windows event logs. I can see these logs set-up in the following location.

C:\Program Files\SplunkUniversalForwarder\etc\apps\MSICreated\local\inputs.conf

As it is a windows server, do I need to copy in a windows folder where the inputs.conf file can be updated in window\local folder

JSapienza · ‎10-20-2011

No you shouldn't need to copy anything if the stanza's are properly enabled in the inputs.conf such as:

[WinEventLog:Application]

disabled = false

[WinEventLog:Security]

disabled = false

[WinEventLog:System]

disabled = false

Have you viewed the splunkd.log
Open the %SPLUNK_HOME%\var\log\splunk\splunkd.log file and search for wmi or error .

View solution in original post

JSapienza · ‎10-20-2011

No you shouldn't need to copy anything if the stanza's are properly enabled in the inputs.conf such as:

[WinEventLog:Application]

disabled = false

[WinEventLog:Security]

disabled = false

[WinEventLog:System]

disabled = false

Have you viewed the splunkd.log
Open the %SPLUNK_HOME%\var\log\splunk\splunkd.log file and search for wmi or error .

Universal Forwarder Not Forwarding Windows Event Logs

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Join the Conversation

Universal Forwarder Not Forwarding Windows Event Logs

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...