Deployment Architecture

Splunk Universal Forwarder command line install results in no windows event logs but manual GUI installation does?

New Member

It's not the current version, but due to multiple reasons in my environment we are still running Splunk Enterprise r6.3.0. This has worked fine with Splunk Universal Forwarder versions 6.3.0, 6.3.11, 6.3.13, and 6.5.9, on windows 10 and windows 2012r2 server. However that's when we install the UF using the msi invoked GUI, with all the windows event log boxes checked so that we get event logs forwarded to the indexer. But now, I need to install the UF by invoking a command line. So, I've used the following command below to install. The results are that the UF is installed, perfmon is forwarded, but not windows event logs.
I've read through a number of community answers, the installation doc and searched on google, but can't seem to find anything indicating that there's an issue with setting up forwarding for windows event logs when installing by command line. Would anyone have a suggestion? Am I missing something with the command line invocation?

Note: The following executed as administrator, and running with the default user of Local System. And yes, the ports the port numbers are the same used when doing a manual GUI install. Again, perfmon is being forwarded. Also, you see this is 6.5.9, but I've also tried this with the 6.3.13 installer msi.


0 Karma
Get Updates on the Splunk Community!

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...