Greetings all! I haven't worked with Splunk in about a year so I'm a little rusty.
Anyhow, I have Linux systems logging to Splunk no issue. However, I seem to be running into problem with Windows logs.
I installed a Universal Forwarder on a few systems. I adjusted the inputs.conf under the system/local folder with the below stanza. When I went into search and reporting > data summary, I was not seeing entries there for logs coming from these systems. However, I checked the wineventlog index and it was rapidly growing. Then, I thought maybe it was an index issue, so I created a new index and updated the stanza to point to that instead. Same issue - didn't see timestamp updates under Data Summary but the index was growing. Verified I couldn't search for the logs either.
Ideas? Thanks much in advance!
###### OS Logs ######
[WinEventLog://Application]
disabled = false
start_from = oldest
current_only = 0
index = wineventlog
[WinEventLog://Security]
disabled = false
start_from = oldest
current_only = 0
suppress_text = 1
blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist3 = 5140,5156-5157,4674
index = wineventlog
[WinEventLog://System]
disabled = false
start_from = oldest
current_only = 0
checkpointInterval = 5
index = wineventlog
[WinEventLog://Microsoft-Windows-PowerShell/Operational]
disabled = false
index = wineventlog
[WinEventLog://Windows PowerShell]
checkpointInterval = 5
current_only = 0
disabled = false
start_from = oldest
index = wineventlog
↧