Solved: How to edit my inputs.conf on a Windows universal ...

swannie · ‎08-17-2016

Hi all,

I'm new to Splunk and I'm having a problem getting the Universal Forwarder on Windows to forward Microsoft NPS/IAS logs to my Linux-based indexer server. I successfully have DHCP logs being forwarded and indexed from the servers in question (so I think I'm doing it right.) and if I look in the Splunk logs, it tells me that it's monitoring the directory in question, however, none of the logs seem to make it to the server.

Here's my inputs.conf:

[monitor://C:\Windows\System32\dhcp]
sourcetype = dhcp
crcSalt = <SOURCE>
alwaysOpenFile=1
disabled = false
whitelist = DHcp.+.log

[monitor://C:\Windows\System32\LogFiles]
sourcetype = ias
crcSalt = <SOURCE>
alwaysOpenFile=1
disabled = false
whitelist = IN*.log

... everything looks right to me, and as I said the DHCP logging is working great. I'm at a loss as to where I can look to troubleshoot further. Thanks for the assistance!

somesoni2 · ‎08-17-2016

Change the whitelist from whitelist = IN*.log to whitelist = IN.*\.log

View solution in original post

somesoni2 · ‎08-17-2016

Change the whitelist from whitelist = IN*.log to whitelist = IN.*\.log

swannie · ‎08-17-2016

Yup - I knew it was going to be something simple, and that was it. Being primarily a Linux person I'm a little embarrassed I didn't think of that. Since it was on Windows, RegEx didn't even enter my mind! 🙂

Thanks so much!!

How to edit my inputs.conf on a Windows universal forwarder to forward NPS/IAS logs to my Linux indexer?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!