Hi @sswigart
Please can you confirm if you can see the _internal events for the hosts which are monitoring those files?
Did this answer help you? If so, please consider:
Your feedback encourages the volunteers in this community to continue contributing
Sir,
When I do a query (index=_internal) looking for records from any of the logs, there are no results.
Apologies if I wasnt previously clear - the purpose of the check in the _internal index is to check that your forwarder is successfully sending its own internal logs to your indexer(s) - this allows us to establish if the cause is due to a forwarding issue from the forwarder, or a problem reading in the data.
Do you see your forwarder host sending *any* logs (not specific to Trellix) in the _internal index?
Did this answer help you? If so, please consider:
Your feedback encourages the volunteers in this community to continue contributing
No, the question wasn't for the logs from the Trellix solution. The question is whether you're geting any Splunk forwarder's own events into your _internal index from the hosts from which you will also want to pull Trellix events.
Also - where and how are you putting those inputs.conf settings?