Getting Data In

Why am I not seeing custom logs using the universal forwarder?

pfabrizi
Path Finder

I am using the UF to try and collect logs from a custom windows application. Below is my inputs.conf stanza. How I am not seeing the logs. How can I see if they are getting collected and how can see if they are getting to the indexer?

[WinEventLog://Quest File Access Audit]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
index = wineventlog
renderXml=false
0 Karma
1 Solution

MuS
Legend

Hi pfabrizi,

on the server running the universal forwarder, enter this URI into a webbrowser:

https://localhost:8089/services/admin/inputstatus/TailingProcessor:FileStatus

username and password are the local Splunk universal forwarder ones (by default Splunk/changeme - or to whatever you did set it while install). Read more here : https://www.splunk.com/blog/2011/01/02/did-i-miss-christmas-2.html

If the events are monitored, good. Login to your Splunk Web UI and run an all time search on index=wineventlog it maybe that the timestamp is not recognised. If so, read here http://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition

If the events are not being monitored by the universal forwarder it might be a permission issue on the Windows box ...

Hope this helps ...

cheers, MuS

View solution in original post

0 Karma

MuS
Legend

Hi pfabrizi,

on the server running the universal forwarder, enter this URI into a webbrowser:

https://localhost:8089/services/admin/inputstatus/TailingProcessor:FileStatus

username and password are the local Splunk universal forwarder ones (by default Splunk/changeme - or to whatever you did set it while install). Read more here : https://www.splunk.com/blog/2011/01/02/did-i-miss-christmas-2.html

If the events are monitored, good. Login to your Splunk Web UI and run an all time search on index=wineventlog it maybe that the timestamp is not recognised. If so, read here http://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition

If the events are not being monitored by the universal forwarder it might be a permission issue on the Windows box ...

Hope this helps ...

cheers, MuS

0 Karma
Get Updates on the Splunk Community!

Message Parsing in SOCK

Introduction This blog post is part of an ongoing series on SOCK enablement. In this blog post, I will write ...

Exploring the OpenTelemetry Collector’s Kubernetes annotation-based discovery

We’ve already explored a few topics around observability in a Kubernetes environment -- Common Failures in a ...

Use ‘em or lose ‘em | Splunk training units do expire

Whether it’s hummus, a ham sandwich, or a human, almost everything in this world has an expiration date. And, ...