Hi all,
I'm new to Splunk and I'm having a problem getting the Universal Forwarder on Windows to forward Microsoft NPS/IAS logs to my Linux-based indexer server. I successfully have DHCP logs being forwarded and indexed from the servers in question (so I *think* I'm doing it right.) and if I look in the Splunk logs, it tells me that it's monitoring the directory in question, however, none of the logs seem to make it to the server.
Here's my inputs.conf:
[monitor://C:\Windows\System32\dhcp]
sourcetype = dhcp
crcSalt =
alwaysOpenFile=1
disabled = false
whitelist = DHcp.+.log
[monitor://C:\Windows\System32\LogFiles]
sourcetype = ias
crcSalt =
alwaysOpenFile=1
disabled = false
whitelist = IN*.log
... everything looks right to me, and as I said the DHCP logging is working great. I'm at a loss as to where I can look to troubleshoot further. Thanks for the assistance!