Hello,
I installed the Universal Forwarder v4.3.5 on a Windows 7 system, and during the install I checked off the boxes to monitor the Application, Security, and System event logs. When the installation was complete I checked out my Splunk Indexer, and noticed that only the Application log was being forwarded.
I checked out my $SPLUNK_HOME\etc\system\local\inputs.conf file, and all it contained was:
[default]
host = my_host
[script://$SPLUNK_HOME\bin\scripts\splunk-perfmon.path]
disabled = 0
I had to manually add:
[WinEventLog:Application]
disabled = 0
[WinEventLog:Security]
disabled = 0
[WinEventLog:System]
disabled = 0
to get the logs to show up on my Indexer. Is there a reason why the Universal Forwarder isn't doing this when I select those options during the install?
Thank you!
... View more