Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Universal Forwarder not sending Directory Serv...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Universal Forwarder not sending Directory Service and other logs.
I have uploaded a Universal Forwarder to my Windows VM and configured both the inputs.conf and outputs.conf. I can confirm that the outputs.conf is working because the following logs are showing up in splunk:
[WinEventLog://Application]
disabled = 0
[WinEventLog://Security]
disabled = 0
[WinEventLog://System]
disabled = 0
However, logs under Applications and Services Logs are not showing up:
[WinEventLog://Directory Service]
disabled = 0
[WinEventLog://DNS Server]
disabled = 0
I have checked the Event Viewer to confirm that there are logs. The only difference that I see is that in the Event Viewer, the logs that are showing are in the path: Event Viewer (Local) -> Windows Logs ->
and the ones that are not showing are in the path: Event Viewer (Local) -> Applications and Services Logs ->
my inputs.conf file:
host = <full computer name>
[WinEventLog://Application]
disabled = 0
[WinEventLog://Security]
disabled = 0
[WinEventLog://System]
disabled = 0
[WinEventLog://Directory Service]
disabled = 0
[WinEventLog://DNS Server]
disabled = 0- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay, that's weird. Just for verification please execute the btool command that was provided by nmohammed and share the output with us
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Truncated Output(The message was too long):
C:..\SplunkUniversalForwarder\etc\system\default\inputs.conf [SSL]
C:..\SplunkUniversalForwarder\etc\system\default\inputs.conf _rcvbuf = 1572864
C:..\SplunkUniversalForwarder\etc\system\default\inputs.conf allowSslRenegotiation = true
C:..\SplunkUniversalForwarder\etc\system\default\inputs.conf certLogMaxCacheEntries = 10000
C:..\SplunkUniversalForwarder\etc\system\default\inputs.conf certLogRepeatFrequency = 1d
C:..\SplunkUniversalForwarder\etc\system\default\inputs.conf cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
C:..\SplunkUniversalForwarder\etc\system\default\inputs.conf ecdhCurves = prime256v1, secp384r1, secp521r1
C:..\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dc_name =
C:..\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dns_name =
C:..\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_resolve_ad_obj = 0
C:..\SplunkUniversalForwarder\etc\system\local\inputs.conf host = <Full Computer Name>
C:..\SplunkUniversalForwarder\etc\system\default\inputs.conf index = default
C:..\SplunkUniversalForwarder\etc\system\default\inputs.conf logCertificateData = true
C:..\SplunkUniversalForwarder\etc\system\default\inputs.conf sslQuietShutdown = false
C:..\SplunkUniversalForwarder\etc\system\default\inputs.conf sslVersions = tls1.2
C:..\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf [WinEventLog://Application]
C:..\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf checkpointInterval = 5
C:..\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf current_only = 0
C:..\SplunkUniversalForwarder\etc\system\local\inputs.conf disabled = 0
C:..\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dc_name =
C:..\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dns_name =
C:..\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_resolve_ad_obj = 0
host = <Full Computer Name>
index = default
C:..\SplunkUniversalForwarder\etc\system\default\inputs.conf interval = 60
C:..\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf start_from = oldest
C:..\SplunkUniversalForwarder\etc\system\local\inputs.conf [WinEventLog://DNS Server]
C:..\SplunkUniversalForwarder\etc\system\local\inputs.conf checkpointInterval = 5
C:..\SplunkUniversalForwarder\etc\system\local\inputs.conf current_only = 0
C:..\SplunkUniversalForwarder\etc\system\local\inputs.conf disabled = 0
C:..\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dc_name =
C:..\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dns_name =
C:..\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_resolve_ad_obj = 0
host = <Full Computer Name>
C:..\SplunkUniversalForwarder\etc\system\local\inputs.conf index = main
C:..\SplunkUniversalForwarder\etc\system\default\inputs.conf interval = 60
C:..\SplunkUniversalForwarder\etc\system\local\inputs.conf start_from = oldest
C:..\SplunkUniversalForwarder\etc\system\local\inputs.conf [WinEventLog://Directory Service]
C:..\SplunkUniversalForwarder\etc\system\local\inputs.conf checkpointInterval = 5
C:..\SplunkUniversalForwarder\etc\system\local\inputs.conf current_only = 0
C:..\SplunkUniversalForwarder\etc\system\local\inputs.conf disabled = 0
C:..\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dc_name =
C:..\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dns_name =
C:..\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_resolve_ad_obj = 0
host = <Full Computer Name>
C:..\SplunkUniversalForwarder\etc\system\local\inputs.conf index = main
C:..\SplunkUniversalForwarder\etc\system\default\inputs.conf interval = 60
C:..\SplunkUniversalForwarder\etc\system\local\inputs.conf start_from = oldest
C:..\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf [WinEventLog://ForwardedEvents]
C:..\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf checkpointInterval = 5
C:..\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf current_only = 0
C:..\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf disabled = 0
C:..\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dc_name =
C:..\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dns_name =
C:..\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_resolve_ad_obj = 0
host = <Full Computer Name>
index = default
C:..\SplunkUniversalForwarder\etc\system\default\inputs.conf interval = 60
C:..\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf start_from = oldest
C:..\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf [WinEventLog://Security]
C:..\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf checkpointInterval = 5
C:..\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf current_only = 0
C:..\SplunkUniversalForwarder\etc\system\local\inputs.conf disabled = 0
C:..\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dc_name =
C:..\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dns_name =
C:..\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_resolve_ad_obj = 0
host = <Full Computer Name>
index = default
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have any other app or add-on configured with the inputs. Run the following to see all inputs that may be present on your forwarder
$SPLUNK_HOME$/bin/splunk btool inputs list --debug
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please specific the parameter for both stanzas as below shown and let me know how did you apply the inputs.conf? Via the deploymentserver or locally? Please share the whole path of the settings.
[WinEventLog://Directory Service]
checkpointInterval = 5
current_only = 0
disabled = 0
index = <your_index>
start_from = oldest
[WinEventLog://DNS Server]
checkpointInterval = 5
current_only = 0
disabled = 0
index = <your_index>
start_from = oldest- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Made the changes but still didn't see the logs go through. I am setting up the inputs.conf file on the Windows VM locally and then restarting the Splunk Forwarding Service afterwards to see the changes.
Here are the settings and path:
C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf
host = <Full Computer Name>
[WinEventLog://Application]
disabled = 0
[WinEventLog://Security]
disabled = 0
[WinEventLog://System]
disabled = 0
[WinEventLog://Directory Service]
disabled = 0
checkpointInterval = 5
current_only = 0
disabled = 0
index = main
start_from = oldest
[WinEventLog://DNS Server]
disabled = 0
checkpointInterval = 5
current_only = 0
disabled = 0
index = main
start_from = oldest
[perfmon://Network Interface]
disabled = 1
[perfmon://CPU Load]
disabled = 1
[perfmon://Available Memory]
disabled = 1
[perfmon://Disk Space]
disabled = 1
Another problem I am noticing is that even though I disabled the perfmon logs, they still show. Not a big deal but it might help diagnose the root problem.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay, the inputs.conf looks okay. The index main is definitely empty even if you search alltime?
Could you check the internal logs on the affected Splunk Universal Forwarder for any issues?
Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps
What’s New in Splunk Observability – September 2025
Fun with Regular Expression - multiples of nine
