I am in the process of adding the following to an inputs.conf file with the intent of forwarding events from a Windows Event Forwarding Server:
[WinEventLog://ForwardedEvents]
sourcetype=WinEventLog:ForwardedEvents
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
index = wineventlog
renderXml=false
This has prompted a question, though. It is my understanding that the "current_only" value can be used to tell Splunk to either start reading events from the beginning, or only the most current (as in tail -f). If the forwarder service stops for some reason, and events are not forwarded, is there a way to instruct the forwarder to "pick up where it left off" so to speak? Is the forwarder capable of remembering the last event which was forwarded so to start at that point as opposed to either at the beginning or end?
Thank you.
↧