Getting Data In

Why are Windows events logs no longer being forwarded after universal-forwarder upgrade to 6.1.2 for Windows 2008 R2?

Communicator

We just upgraded a very old UF on Windows 2008 R2 to 6.1.2 None of the Windows event logs are being forwarded to the indexer though the UF logs and and custom application logs are being forwarded to the indexer so I know the UF can forward data.

The inputs.conf for the Windows Event logs

[default]

[WinEventLog:Application]
checkpointInterval = 5
current_only = 1
disabled = 0
start_from = oldest
index = test

[WinEventLog:Security]
checkpointInterval = 5
current_only = 1
disabled = 0
start_from = oldest
blacklist = 5156|4656|33205|5158
index = test

[WinEventLog:System]
checkpointInterval = 5
current_only = 1
disabled = 0
start_from = oldest
index = test

We have a lot of other UF installs that are using this inputs.conf so I am confused why this it not working.

The only related message I am seeing is:

INFO ModularInputs - No stanzas found for scheme "WinEventLog" in inputs.conf at script (re)start.

Any ideas why the inputs.conf is being ignored?

Thanks

0 Karma
1 Solution

Communicator

figured it out - forgot //

[default]

[WinEventLog://Application]
checkpointInterval = 5
current_only = 1
disabled = 0
start_from = oldest
index = tu_windows

[WinEventLog://Security]
checkpointInterval = 5
current_only = 1
disabled = 0
start_from = oldest
blacklist = 5156|4656|33205|5158
index = tu_windows

[WinEventLog://System]
checkpointInterval = 5
current_only = 1
disabled = 0
start_from = oldest
index = tu_windows

View solution in original post

Communicator

figured it out - forgot //

[default]

[WinEventLog://Application]
checkpointInterval = 5
current_only = 1
disabled = 0
start_from = oldest
index = tu_windows

[WinEventLog://Security]
checkpointInterval = 5
current_only = 1
disabled = 0
start_from = oldest
blacklist = 5156|4656|33205|5158
index = tu_windows

[WinEventLog://System]
checkpointInterval = 5
current_only = 1
disabled = 0
start_from = oldest
index = tu_windows

View solution in original post