Hi
I'm using Spunk 5.0.2 and the latest versions of the Splunk for Windows app and TA. I have Forwarders installed on a number of Windows Server 2008 R2 machines including a domain controller.
The forwarder on the DC is sending all WinEventLog:* events to the indexer but the forwarders on the other machines are sending everything but the WinEventLog:Security events.
Why aren't my non-DC machines sending the the WinEventLog:Security events?
[default]
evt_dc_name = \\DC01.mydomain
evt_dns_name =
###### OS Logs ######
[WinEventLog:Application]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
[WinEventLog:Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
[WinEventLog:System]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
This resolved itself with absolutely no help from me. The forwarders just started passing the WinEventLog:Security events on their own.
This resolved itself with absolutely no help from me. The forwarders just started passing the WinEventLog:Security events on their own.
Was there some time delay involved? Did you have to wait minutes, hours, days? I'm seeing the same behavior and was hoping for a hint of how to resolve it. Thanks.