Re: Universal Forwarder only sends monitored log f...

nabeel652 · ‎05-26-2015

I have a universal forwarder installed on my Print Server (Windows 2012 R2). I used WinPrintMon but it is giving some funny results. However, I am able to pull out printer logs through pointing directly to the file c:\windows\system32\winevt\logs\microsoft-windows-printer%4operational. However, the forwarder only sends once the logs when restarted. After that it will not send any logs until restarted.

acharlieh · ‎05-26-2015

Why are you using a monitor stanza instead of a WinEventLog stanza similar to: http://answers.splunk.com/answers/124859/unable-to-index-microsoft-windows-printservice-operational....

richgalloway · ‎05-26-2015

What are your inputs.conf settings?

---
If this reply helps you, Karma would be appreciated.

nabeel652 · ‎05-26-2015

Thanks buddy, adding WinEventLog stanza solved my problem Cheers 🙂

nabeel652 · ‎05-26-2015

[monitor://c:\windows\system32\winevt\logs\Microsoft-Windows-PrintService%4Admin]
disabled=false
index=printmon

I've also tried with MonitorNoHandle but in that case the forwarder doesn't send data at all.

Universal Forwarder only sends monitored log file once per restart...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...