Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I not seeing custom logs using the universal forwarder?

pfabrizi
Path Finder
‎07-15-2018 02:14 PM

I am using the UF to try and collect logs from a custom windows application. Below is my inputs.conf stanza. How I am not seeing the logs. How can I see if they are getting collected and how can see if they are getting to the indexer?

[WinEventLog://Quest File Access Audit]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
index = wineventlog
renderXml=false
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎07-15-2018 02:49 PM

Hi pfabrizi,

on the server running the universal forwarder, enter this URI into a webbrowser:

https://localhost:8089/services/admin/inputstatus/TailingProcessor:FileStatus

username and password are the local Splunk universal forwarder ones (by default Splunk/changeme - or to whatever you did set it while install). Read more here : https://www.splunk.com/blog/2011/01/02/did-i-miss-christmas-2.html

If the events are monitored, good. Login to your Splunk Web UI and run an all time search on index=wineventlog it maybe that the timestamp is not recognised. If so, read here http://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition

If the events are not being monitored by the universal forwarder it might be a permission issue on the Windows box ...

Hope this helps ...

cheers, MuS

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎07-15-2018 02:49 PM

Hi pfabrizi,

on the server running the universal forwarder, enter this URI into a webbrowser:

https://localhost:8089/services/admin/inputstatus/TailingProcessor:FileStatus

username and password are the local Splunk universal forwarder ones (by default Splunk/changeme - or to whatever you did set it while install). Read more here : https://www.splunk.com/blog/2011/01/02/did-i-miss-christmas-2.html

If the events are monitored, good. Login to your Splunk Web UI and run an all time search on index=wineventlog it maybe that the timestamp is not recognised. If so, read here http://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition

If the events are not being monitored by the universal forwarder it might be a permission issue on the Windows box ...

Hope this helps ...

cheers, MuS

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...