Hello-
I am currently trying to configure Splunk Universal Forwarders on Windows Workstations. The Universal Forwarder is configured to send security logs directly to our indexer. I have the Windows Add-On installed on the Universal Forwarder, and my inputs.conf file is in the \local\ directory. It is forwarding logs to the indexer as (mostly) intended.
The issue that I am currently experiencing an issue that when the Splunk service restarts on a workstation, it begins forwarding event logs to the indexer that have already been indexed. I'm semi-familiar with what the fishbucket is supposed to do, but it doesn't seem like the indexer is keeping track of my events that have already been indexed :/
Here's relevant parts from my inputs.conf:
[WinEventLog://Security]
index=winsec
checkpointInterval = 5
disabled = 0
start_from =newest
Would greatly appreciate any help you may provide. Thank you!
↧