When you see an WinEventMon:: error stating it is unable to find the Log with channel name="foo" often means the the Event Log Name is named differently then what is configured in your forwarder's inputs.conf stanza. Also the "File Replication Service" is considered a non-default Windows event log. You must import them to the Windows Event Viewer. After you import the log, you can add them to your forwarder's local copy of inputs.conf , as follows: [WinEventLog://File Replication Service] disabled = 0 This may fix both problems, if not double-check your Regex statement for accuracy. A issue I had was I needed to monitor workstation cdrom usage. For my forwarder's inputs.conf is was using the following stanza: [WinEventLog://Microsoft-Windows-CDROM] disabled = 0 But if you take a look at the logs using poweshell: Get-WinEvent -ListProvider cdrom you see: PS C:\> Get-WinEvent -ListProvider cdrom Name : cdrom LogLinks : {System} Opcodes : {} Tasks : {} Name : Microsoft-Windows-CDROM LogLinks : {Microsoft-Windows-CDROM/Operational} Opcodes : {win:Info} Tasks : {CDROM_DRIVER} Looking at the LogLinks, I see I needed to use the System log and proper event codes. Changed my stanza to reflect looking at the system log and to blacklist all but the code i wanted: [WinEventLog://System] disabled=0 blacklist1= 0-112,114-99999 Regards, Michael Stillmunks ... View more

Jose, When you see an WinEventMon:: error stating it is unable to find the Log with channel name="foo" often means the the Event Log Name is named differently then what is configured in your forwarder's inputs.conf stanza. Also the "File Replication Service" is considered a non-default Windows event log. You must import them to the Windows Event Viewer. After you import the log, you can add them to your forwarder's local copy of inputs.conf , as follows: [WinEventLog://File Replication Service] disabled = 0 Regards, Michael Stillmunks ... View more

I am using UF 6.2.3 and I started to see this error message as well. For me, it started when I added two strings to the inputs.conf stanza on our Windows Domain Controllers (2008 R2). I deployed a new configs that added the following lines to the inputs.conf file located on the forwarder at: C:\Program Files\SplunkUniversalForwarder\etc\apps\local\inputs.conf I added the evt dns and dc names. [WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 %|250214524_4|% ... evt_dc_name = <domain name> evt_dns_name =<domain name ... I was trying to see if it would help on SID EVENT translations, but really just caused the event messages to report the description error. Once I remove the lines from the stanza and restarted the splunk service, I started to received the correctly formatted events. I also seen some users install an updated version afer 6.2.x of the UF install over there current one with success. I suspect the new install just overwrote the inputs.conf and now they now longer see the issue, but i am not certain. /Michael ... View more