Why is my Remote File & Directory input not automa...

Callumfranks · ‎08-29-2018

I currently have a Remote File & Directory Data Input on the following log
'C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx'

If I disable and enable the Data Input, it will import the log data. If I then go and make events within the log, it does not automatically import in to Splunk. However, if i go back and disable and enable the Data Input, it will import the backlog of events perfectly. Is there any way to automate this?

richgalloway · ‎08-29-2018

What are the inputs.conf settings for that file?

---
If this reply helps you, Karma would be appreciated.

Callumfranks · ‎08-30-2018

the inputs.conf is below:

[monitor://C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx]
disabled = 0
index = remotelog

Why is my Remote File & Directory input not automatically inputting data?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

How Edge Processor's Durable Queue Works

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Join the Conversation