I'm trying to create a new index called 'winevents_endpoint'. I've added this index to the Search Head, Indexer, and Heavy Forwarder (not sure if it's needed on all of them?). When I set an input in inputs.conf on the Universal Forwarder, I set the index to 'winevents_endpoint'.
[WinEventLog://Security]
disabled = 0
index = winevents_endpoint
However, if I search 'index=winevents_endpoint' on my Search Head, nothing comes up. Does anyone know what could be the issue? I can see that when I changed the index from 'main' to 'winevents_endpoint', the Universal Forwarder stopped sending stuff (AKA the index of winevents_endpoint isn't making it through, but it took effect).
... View more