Getting Data In

Why am I receiving no WinEventlog:Security events from the universal-forwarder?

New Member

I am new to Splunk trying to fill in for someone that has left the company and the company could not afford to continue service this time around.

I am trying to read Event ID 4625 and 4624. What I am noticing is that I am getting NO Security events. I do however receive Setup events. I am using the Universal Forwarder to get events from Windows 7 and Server 2008 R2 machines. At home I am using Workgroup and at Work a Domain, same results on both.

As for the search I enter the following: sourcetype=WinEventLog:S*
I also enter in 4625* OR 4624*
I can view the events via the Event View so I know the machine in question has the events. Just need to track to see if it is leaving the target machine and going to the indexer and then if the indexer is for some reason filtering the events.

Splunk version 6.0.182037
Splunk Universal Forwarder 6.2.1-245427

Any help or pointing to docs would be helpful. I have been reading a lot of the posts trying things, but nothing seems to help and I am running out of time!!

Thanks in Advance.

0 Karma
1 Solution

Path Finder

Does you inputs.conf have

[WinEventLog://Security]
index = indexname
disabled = 0 

if not add that in and restart the forwarder service.

View solution in original post

New Member

I am receiving Security events from the Indexer which I use a Universal forwarder to send events to itself instead of point to the files. I am still not seeing Security events from the standalone Windows2008R2 Server. As before I am still getting the setup event, performance events but no security events.

Is a trusted certificate required for this transaction? I did not configure that part of the Universal Forwarder.

0 Karma

Path Finder

Does you inputs.conf have

[WinEventLog://Security]
index = indexname
disabled = 0 

if not add that in and restart the forwarder service.

View solution in original post

New Member

I just received this error message on the indexer.

received event for unconfigured/disabled/deleted index='indexname' with source='source::WinEventLog:Security' host='host::ASUS' sourcetype='sourcetype::WinEventLog:Security' (2 missing total)

0 Karma

New Member

I did find reference to this in the inputs.conf edit doc, what is interesting is this seems to be a default setting. Do you know why it did not work? Is this an issue with Splunk or the OS that requires it to be specifically listed?

0 Karma

Path Finder

I think it would only be a default setting if you selected it during the installation of the forwarder. Most people leave those things undefined and manually configure the inputs.conf.

0 Karma

Path Finder

set the index name to an index that exists on your system. you can set it to 'main' if you want it in the main index

New Member

First THANKS!!!!

where is this documented in the Splunk manuals???

0 Karma

New Member

Thanks for the response!!
I am assuming that I am adding this to the Universal forwarder inputs.conf file? I did go ahead and add the text and have restarted twice. I had a similar statement but disabled = false previously. Still no success.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!