Monitor remote Windows event logs

If you’ve installed a forwarder on a Windows machine, you can edit the inputs.conf file to configure Windows event logs that you want to monitor. Here is the configuration to monitor Windows Security, Application, and System event logs and store them in the index called remotelogs:

Restart the forwarder in order for the changes to take effect. We can run a search on our Splunk indexer to verify that events have indeed been indexed:

Monitor logs using forwarders
Install a Splunk forwarder on Linux

Monitor remote Windows event logs

Splunk tutorial