Quantcast
Viewing all articles
Browse latest Browse all 1551

Splunk Universal Forwarder is ignoring logs

*OS: Windows Server 2008 R2 Enterprise Splunk Universal Forwarder version: 6.2.6 (build 274160)* Hi, Good Day. Would like to seek for an assistance, resolution on my issue. Here's the case: I have 5 universal forwarder and an app config in a server class and have this stanza in my `inputs.conf` [WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)" blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)" index = dhcp_winevt renderXml=false ###### DHCP ###### [monitor://C:\Windows\System32\dhcp\DhcpSrv*] disabled = 0 sourcetype = dhcp_server_logs index = dhcp_index ## connection_host = none Indexing of the logs is fine on the first and second months, then, eventually **2 of 5** universal forwarder has stopped forwarding the DHCP logs as seen on the `inputs.conf` stanza, but still forwarding the Security logs, so, we then check the logs on the server side but DHCP log is still actively logging. What seems to be the problem here? Thanks in advance.

Viewing all articles
Browse latest Browse all 1551


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>