I use my deployment server to deploy the Splunk Add-on for Microsoft Windows to Universal Forwarders.
Splunk_TA_windows/
├── default
│ └── inputs.conf #unchanged defaults
├── local
│ └── inputs.conf #edited
I enabled the Security log in local/inputs.conf, like:
[WinEventLog://Security]
disabled = 0
Everything works great. However, I have one user that wants to enable a few things. Let's say that he wants to:
[WinEventLog://Application]
disabled = 0
Where would he make that change? Wouldn't the deployment server overwrite Splunk_TA_windows/local/inputs.conf if he made the change there?
↧