That must be new because every Windows UF I've installed has asked which inputs I want to enable.  So if the installer isn't going to do then you'll have to do it. Create the following directory path: C:\Program Files\SplunkUniversalForwarder\etc\apps\my_AD_inputs\default.  In that directory, create and edit a file called 'inputs.conf'.  Add the following lines, changing 'checkpointInterval' to different value (in seconds, if desired). [WinEventLog://Application] checkpointInterval = 10 current_only = 0 disabled = 0 index = wineventlog start_from = oldest [WinEventLog://Security] checkpointInterval = 10 current_only = 0 disabled = 0 index = wineventlog start_from = oldest [WinEventLog://System] checkpointInterval = 10 current_only = 0 disabled = 0 index = wineventlog start_from = oldest [WinEventLog://Forwarded Events] checkpointInterval = 10 current_only = 0 disabled = 0 index = wineventlog start_from = oldest [WinEventLog://Setup] checkpointInterval = 10 current_only = 0 disabled = 0 index = wineventlog start_from = oldest  Create an index called 'wineventlog' on your Splunk server and then restart the UF. ... View more