I want to send "wineventlog:security " logs to **Heavy forwarder(KIWISERVER)** and below are the configuration files that I have created on the **Universal forwarder**
**inputs.conf:**
[WinEventLog://Security]
disabled = 0
index = activedirectory
sourcetype=adlog_003
**outputs.conf:**
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = xxx.xx.xxx.xx:9997
[tcpout-server://xxx.xx.xxx.xx9997]
When i see the "Splunkd" log it shows "**Connected to idx=xxx.xx.xxx.xx:9997"** but i'm unable to see the events in splunk search *index=active**
**sample **splunkd** log file :**
12-17-2016 01:09:30.162 -0500 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='C:\Program Files\SplunkUniversalForwarder\var\log\splunk\license_usage_summary.log'.
12-17-2016 01:09:30.162 -0500 INFO WatchedFile - Will begin reading at offset=424312 for file='C:\Program Files\SplunkUniversalForwarder\var\log\splunk\metrics.log'.
12-17-2016 01:09:30.178 -0500 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='C:\Program Files\SplunkUniversalForwarder\var\log\splunk\remote_searches.log'.
12-17-2016 01:09:30.178 -0500 INFO WatchedFile - Will begin reading at offset=854 for file='C:\Program Files\SplunkUniversalForwarder\var\log\splunk\conf.log'.
12-17-2016 01:09:30.287 -0500 INFO TcpOutputProc - Connected to idx=xxx.xx.xxx.xx:9997
Please let me know what mistake I have done.....
![noresults][1]
[1]: /storage/temp/173422-results.png
↧