Hi Everyone,
i got error since i try install new agent in new server using SplunkForwarder.
For inputs.conf i use like this
[WinEventLog://Security]
disabled = 0
index = windows
sourcetype = Wineventlog:Security
[WinEventLog://System]
disabled = 0
index = windows
sourcetype = Wineventlog:System
[WinEventLog://Microsoft-Windows-PowerShell/Operational]
disabled = 0
index = windows
sourcetype = WinEventLog:PowerShell
And the preview is like this in source = C:\Windows\System32\winevt\Logs\Microsoft-Windows-WFP%4Operational.evtx
This is not my first time to ingest windows, but this error just happen to me right now. And i confuse how to solved it.
My bad, in this env my friend setting different inputs.conf and it from .evtx and it cannot readable in splunk without some setting. Sorry guys
Hi @zksvc
Looks like a binary file was read there.
Have you followed the steps here https://docs.splunk.com/Documentation/Splunk/9.4.0/Data/MonitorWindowseventlogdata ?
My bad, in this env my friend setting different inputs.conf and it from .evtx and it cannot readable in splunk without some setting. Sorry guys