Configure Splunk Universal Forwarder
After you install the Splunk Universal Forwarder, you can configure the types of events to send to Splunk Enterprise.
To configure the type of events, you need to edit the inputs.conf file. In a default installation of the Splunk Universal Forwarder, the file is stored in this path:
Depending on your user access, you might need to change the permissions on the file to apply changes.
This example collects Privilege Management events from that endpoint or the Windows Event Forwarder node:
[default] host = DESKTOP-OU2VDC4 [WinEventLog://Avecto Defendpoint Service] disabled = false
In the event that you use an alternate log location, the event log name and source name should be BeyondTrust Privilege Management.
Restart the Splunk Universal Forwarder service for the changes to take effect.
For more information about editing the inputs.conf file, please see https://docs.splunk.com/Documentation/Splunk/6.6.2/Admin/Inputsconf.