- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Why am I not seeing custom logs using the universa...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am using the UF to try and collect logs from a custom windows application. Below is my inputs.conf stanza. How I am not seeing the logs. How can I see if they are getting collected and how can see if they are getting to the indexer?
[WinEventLog://Quest File Access Audit]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
index = wineventlog
renderXml=false
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi pfabrizi,
on the server running the universal forwarder, enter this URI into a webbrowser:
https://localhost:8089/services/admin/inputstatus/TailingProcessor:FileStatus
username and password are the local Splunk universal forwarder ones (by default Splunk/changeme - or to whatever you did set it while install). Read more here : https://www.splunk.com/blog/2011/01/02/did-i-miss-christmas-2.html
If the events are monitored, good. Login to your Splunk Web UI and run an all time search on index=wineventlog it maybe that the timestamp is not recognised. If so, read here http://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition
If the events are not being monitored by the universal forwarder it might be a permission issue on the Windows box ...
Hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi pfabrizi,
on the server running the universal forwarder, enter this URI into a webbrowser:
https://localhost:8089/services/admin/inputstatus/TailingProcessor:FileStatus
username and password are the local Splunk universal forwarder ones (by default Splunk/changeme - or to whatever you did set it while install). Read more here : https://www.splunk.com/blog/2011/01/02/did-i-miss-christmas-2.html
If the events are monitored, good. Login to your Splunk Web UI and run an all time search on index=wineventlog it maybe that the timestamp is not recognised. If so, read here http://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition
If the events are not being monitored by the universal forwarder it might be a permission issue on the Windows box ...
Hope this helps ...
cheers, MuS
Developer Spotlight with Paul Stout
State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...
Data-Driven Success: Splunk & Financial Services
