Configure Splunk Universal Forwarder

After you install the Splunk Universal Forwarder, you can configure the types of events to send to Splunk Enterprise.

To configure the type of events, you need to edit the inputs.conf file. In a default installation of the Splunk Universal Forwarder, the file is stored in this path:

C:\Program Files\SplunkUniversalForwarder\etc\system\local

Depending on your user access, you might need to change the permissions on the file to apply changes.

This example collects Endpoint Privilege Management events from that endpoint or the Windows Event Forwarder node:

[default]
host = DESKTOP-OU2VDC4
[WinEventLog://Avecto Defendpoint Service]
disabled = false

In the event that you use an alternate log location, the event log name and source name should be BeyondTrust Privilege Management.

Restart the Splunk Universal Forwarder service for the changes to take effect.

For more information about editing the inputs.conf file, see https://docs.splunk.com/Documentation/Splunk/6.6.2/Admin/Inputsconf.