Sample stanzas for Windows
Here is a customized sample universal forwarder inputs.conf file stanzas.
C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf
You can also add new file(s) to monitor.
[WinEventLog://Application]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
index = wineventlog
[WinEventLog://Security]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
index = wineventlog
[WinEventLog://System]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
index = wineventlog
[WinEventLog://ForwardedEvents]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
index = wineventlog
[WinEventLog://Setup]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
index = wineventlog
[admon://NearestDC]
monitorSubtree = 1
index = msad
[perfmon://CPU Load]
counters = % Processor Time;% User Time
instances = _Total
interval = 10
object = Processor
index = perfmon
[perfmon://Available Memory]
counters = Available Bytes
interval = 10
object = Memory
index = perfmon
[perfmon://Free Disk Space]
counters = Free Megabytes;% Free Space
instances = _Total
interval = 3600
object = LogicalDisk
index = perfmon
[perfmon://Network Interface]
counters = Bytes Received/sec;Bytes Sent/sec
instances = *
interval = 10
object = Network Interface
index = perfmon
[monitor://C:\Log\filelog.csv]
disabled = false
index = csvmonitor
[WinEventLog://DNS Server]
disabled = 0
index = dns
[WinEventLog://Directory Service]
disabled = 0
index = msad
[WinEventLog://File Replication Service]
disabled = 0
index = msad
[WinNetMon://splunkdc01]
disabled = 0
index = windows
# Queries computer information.
[WinHostMon://computer]
type = Computer
interval = 300
index = windowshost
# Queries OS information.
# 'interval' set to a negative number tells Splunk Enterprise to
# run the input once only.
[WinHostMon://os]
type = operatingSystem
interval = 300
index = windowshost
# Queries processor information.
[WinHostMon://processor]
type = processor
interval = 300
index = windowshost
# Queries hard disk information.
[WinHostMon://disk]
type = disk
interval = 300
index = windowshost
# Queries network adapter information.
[WinHostMon://network]
type = networkAdapter
interval = 300
index = windowshost
# Queries service information.
# This example runs the input ever 5 minutes.
[WinHostMon://service]
type = service
interval = 300
index = windowshost
# Queries information on running processes.
# This example runs the input every 5 minutes.
[WinHostMon://process]
type = process
interval = 300
index = windowshost