read
This is a compact inputs.conf example for collecting the standard Windows event logs and the Sysmon operational log with Splunk Universal Forwarder. It keeps the configuration intentionally small so it can be adapted into a deployment app or lab forwarder without pulling in unrelated settings.
One operational note: keep Sysmon in XML mode when possible. The XML payload preserves richer event data and tends to be much easier to search reliably than the rendered text form.
[WinEventLog://Application]
disabled = false
index = wineventlog
sourcetype = wineventlog
[WinEventLog://Security]
disabled = false
index = wineventlog
sourcetype = wineventlog
[WinEventLog://System]
disabled = false
index = wineventlog
sourcetype = wineventlog
[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = false
renderXml = true
index = sysmon
source = XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype = wineventlog
