Good afternoon,
I'm testing out Splunk. I have installed Splunk Light on a VM, and installed a few forwarders. The first few machines were 2003, so I installed an older forwarding agent (6.1.10). That went just fine and the hosts are listed in the default search page; I've successfully created reports based on the security event logs.
My next machine is 2012 R2, so I've installed the Universal Forwarder (6.4.1) - the host is not appearing in the list, and typing `host=` into the search bar suggests only the aforementioned servers are matches. I added an entry to inputs.conf:
[WinEventLog://Security]
disabled = false
Alas, no change. I can see that there is an established connection in netstat, but that's about it.
Any tips on where to go next?
↧