topic Re: Missing Windows Event Logs? in Getting Data In

Missing Windows Event Logs?

carmackd — Tue, 03 Apr 2012 15:18:33 GMT

Since the Windows Event Viewer archives and generates a new log at 20MB (its maximum capacity), is there a risk that the Windows monitor would fail to consume an event if the events are being generated at a very quick pace? In other words, the creation of windows event logs is outpacing the Splunk monitor. For example, say your Windows server is generated X kb of Windows Security Events per second, but the splunk monitor can only consume X - 1 kb events per second, by the time the log hits 20MB and is archived, the splunk monitor has failed to consume all 20MB, so in theory I am missing some events. Is this a possibility?

Re: Missing Windows Event Logs?

jbsplunk — Tue, 03 Apr 2012 16:51:15 GMT

Can you describe the input you've got configured? Are you writing event logs to a file, or polling via WMI?

Re: Missing Windows Event Logs?

jsb22 — Tue, 03 Apr 2012 21:06:45 GMT

This does not directly address your question, but if this does become an issue, you may be able to switch from archiving events, to 'overwrite events older than X days' and increasing the log size so it has time to pull. Although, I don't think you'll have that issue, I just don't have any proof to support it.
Just a suggestion though.