Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Universal forwarder is not collecting events on Forwarded Folder of windows server

AKG
Path Finder
‎05-10-2012 11:28 PM

Hi All I am new to Splunk and having some issue...

we have a windows 2008r2 server setup as an event collector for windows servers. Event logs from windows server is being forwarded to this server and goes on to "Forwarded Events" folder.

Now I installed universal forwarder on this server with only "Forwarded Events Log" selected. When i go to splunk server, I can't see any events coming.

if I install with other option selected(e.g. Application Log), I can see application log of that server appearing on splunk server.

I was wondering if i am missing something and will appreciate if some one can guide me.

Note:- we have decided not to install splunk agents in every server and not to use wmi as the number of windows we have is lot(in hundreds).

Thank you in Advance.

Reply
1 Solution
Solved! Jump to solution
Solution

rovechkin_splun
Splunk Employee
Splunk Employee
‎05-22-2012 11:20 AM

the is a slight bug in default configuration. The issue is that "Forwarded Events" have a space between them, while Windows ForwardedEvents event log doesn't. The workaround is to find all occurrences of "Forwarded Events" in *.conf stanzas and remove space, e.g.

Splunk\etc>find /s "Forwarded Events" *.conf

inputs.conf: [WinEventLog:Forwarded Events]

replace with [WinEventLog:ForwardedEvents]

reboot Splunk.

View solution in original post

Reply
Solved! Jump to solution

kmjackson788
Engager
‎02-06-2013 06:39 AM

That fixes it.

%SystemRoot%\System32\Winevt\Logs\ForwardedEvents.evtx

The space [WinEventLog:Forwarded Events] does not work. Hopefully they fixed the documentation. ( I sent a documentation fix)

http://docs.splunk.com/Documentation/Splunk/5.0.1/admin/Inputsconf

I dont have enough credit to upvote the above answer.

Reply
Solved! Jump to solution

kmjackson788
Engager
‎02-06-2013 10:51 AM

They fixed the docs on inputs.conf. @rovechikin Should of submitted a change on the docs inputs.conf page to save people the frustration.

0 Karma
Reply
Solved! Jump to solution
Solution

rovechkin_splun
Splunk Employee
Splunk Employee
‎05-22-2012 11:20 AM

the is a slight bug in default configuration. The issue is that "Forwarded Events" have a space between them, while Windows ForwardedEvents event log doesn't. The workaround is to find all occurrences of "Forwarded Events" in *.conf stanzas and remove space, e.g.

Splunk\etc>find /s "Forwarded Events" *.conf

inputs.conf: [WinEventLog:Forwarded Events]

replace with [WinEventLog:ForwardedEvents]

reboot Splunk.

Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...