Getting Data In

Universal Forwarder - Start collection without indexing old logs

zindain24
Path Finder

Hello, we are looking to collect Windows (Application, Security, and System) logs from 14 Domain Controllers. By default the Universal Forwarder begins indexing the logs from the systems earliest event to the most recent. Is there a way we can tell the forwarder to start collection of new events, and not index the old log files?

Thanks!

0 Karma
1 Solution

ysouchon
Explorer

Via inputs.conf (local): current_only = 1

or

Via wmi.conf (remote) : current_only = 1

View solution in original post

0 Karma

criazuelo_splun
Splunk Employee
Splunk Employee

This solution didn't work with a UF v 7.3.2 and Windows Server 2012R2 standard.

0 Karma

zindain24
Path Finder

Thanks ysouchon, added the following to inputs.conf:

[WinEventLog:Security]
disabled = 0
start_from = oldest
current_only = 1
index = indexname

[WinEventLog:System]
disabled = 0
start_from = oldest
current_only = 1
index = indexname

[WinEventLog:Application]
disabled = 0
start_from = oldest
current_only = 1
index = indexname

0 Karma

ysouchon
Explorer

Via inputs.conf (local): current_only = 1

or

Via wmi.conf (remote) : current_only = 1

0 Karma

criazuelo_splun
Splunk Employee
Splunk Employee

This solution didn't work with a UF v 7.3.2 and Windows Server 2012R2 standard.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...