The current issue has been fixed in Windows TA 4.8.4 onwards, so please download the latest version Windows TA and test or try using the following Regex. blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)" ... View more

Maybe. A quick googling shows that Blue Coat can send its syslog via tcp over an SSL link. Splunk can listen for a TCP input with SSL encryption. This "should work". See https://kb.bluecoat.com/index?page=content&id=KB4294 for the Blue Coat side of this. In Splunk, this is an inputs.conf stanza of type tcp-ssl . Lukas Camenzind has blogged about this setup, including some of the SSL certificate issues he discovered, at http://www.looke.ch/wp/integrating-bluecoat-proxy-sg-access-logs-into-splunk Another option (if the Blue Coat supports it) is IPSec. You could configure host-to-host IPSec and have all traffic between the two devices encrypted by the IP stack. However, I can find no evidence that Blue Coat can support this. ... View more

I've seen the same thing as both Lowell and johntobin. We recently upgraded from 6.0.2 to 6.1.3, and wound up with a number of files I had to chown to the splunk user. Additionally, we have run into a permissions issue when it starts up: WARN FilesystemChangeWatcher - error reading directory "/path/to/syslogs": Permission denied The splunk user is part of a group which has read only access to these files. Unfortunately, with the new init script setup and the SPLUNK_OS_USER (which is set properly in /opt/splunkforwarder/etc/splunk-launch.conf) this fails to start up. Workarounds seem to be as previously stated: 1) su to the splunk user and start it with /opt/splunkforwarder/bin/splunk start OR 2) Revert to the old init script. Either of these work. Just wanted to point out this had not been fixed yet as of 6.1.3. ... View more

Thanks @jd260. If I had found this answer this morning, it would have saved me hours of work. Why this isn't in the Splunk docs is a mystery. ... View more