Getting Data In

Universal Forwarder

New Member

I have universal forwarder installed on a Windows 2008 box. I have a directory c:\logs\firewall setup where I am pointing the Windows firewall logs. I want to have the universal forwarder pick these up and send them to the indexer. I am newb and have read through the doc and its not really clear to me on how to do this. I know I need to edit the inputs.conf but I am not sure of the syntax.

Any help is appreciated.

0 Karma

Splunk Employee
Splunk Employee

Just edit your inputs.conf in $SPLUNK_HOME/etc/system/local/. If inputs.conf doesn't exist, add the file.

Do something like this:

[monitor:://C:\Logs\firewall]
disabled = 0 
sourcetype = my_sourcetype
host = my_hostname

For details, see:

http://www.splunk.com/base/Documentation/latest/admin/inputsconf

I hope this points you in the right direction.

0 Karma

Splunk Employee
Splunk Employee

actually: [monitor://c:\\c:\logs\firewall], i.e., only one colon. You don't need the disabled=0 clause, that's default, and most of hte time you don't need the hostname if the local forwarder host is correct.

0 Karma