I cleared the event log files and restarted Splunk and that did the trick, I have been receiving the logs since then. Thanks! ... View more

I haven't modified the outputs.conf file, if I save the event viewer items to a local file and ask splunk to monitor the local file I get the same message on the splunkd log: 06-05-2012 13:43:40.103 -0400 INFO WinEventLogInputProcessor - main-thread: Finished processing existing Windows Event Log 'C:\Program Files (x86)\EBSCO\SDIAlertService\Logs\temp.evtx': total_events='0' with empty_msg='0'. However this file is about 12MB in size and contains about 200 events. I installed the UF through the GUI. ... View more

I am now monitoring the Windows event log directory, the corresponding entry on my inputs.conf file says: [monitor://C:WindowsSystem32WinevtLogsApplication.evtx] disabled = false I can view the entries through the Event Viewer. However these aren't being forwarded by the forwarder, the splunkd log file entry shows: 06-05-2012 13:21:05.665 -0400 INFO WinEventLogInputProcessor - main-thread: Finished processing existing Windows Event Log 'C:WindowsSystem32WinevtLogsApplication.evtx': total_events='0' with empty_msg='0'. Any suggestions/work arounds would be appreciated. ... View more

Yes, the application event log has data which I can view through the Event Viewer. The machine is running Windows 2008, I was reading about the alwaysOpenFile option ... would this be applicable in this case? ... View more