I have searched the Answers site and cannot find an answer to why I get log off events, but intermittently am missing log on events in Splunk.
This is a big problem for us and I have opened a ticket with Splunk Support but that also went nowhere and am hoping someone has had this issue and found a cause/fix.
We on occasion see log off events, but cannot find the log on event anywhere. We do have a product called Adiscon that also grabs event log entries and it always has both events. We are using the Splunk_TA_Windows add-on with the following settings:
Stanza looks ok to me. As part of troubleshooting I would simplify by removing blacklist entries to see if that changes the outcome in any way with regard to the missing events.
Is the stanza you are showing the output of btool query? If not, I'd recommend running splunk.exe cmd btool inputs list WinEventLog://Security to ensure that you do not have any other conflicting inputs defined on your forwarder. If the outputs are not what you expect, add the "--debug" flag to the end of the query to show the input files corresponding to each specification associated with the stanza.
If you are getting some security events but not all security events and you are not blacklisting them on the universal forwarder, take a look at your props/transforms.conf on receivers/indexers to ensure you are not null-routing or rewriting events along the path.