hi All,
I've setup a heavy forwarder on Server B, and forward the entries in Windows Security log to Server A (Indexer).
I configured the inputs.conf on Server B, let say at 9 AM in the morning, the entries are forwarded and indexed successfully. However, seems like it is only captures data from 9 AM onward and not including older entries.
The content of inputs.conf:
[default]
host = hostname.com
[WinEventLog:Security]
disabled = 0
index = security_index
current_only = 0
start_from = oldest
Am I missing something here?
Thank you
... View more