Deployment Architecture

After Upgrade to 8.2.2, "WinEvent -> Defender" log stops receiving / sending?

PatrikL
New Member

Hi!

I've set up the following "app" to be delployed on my Universal Forwarders for windows:

"[WinEventLog://Microsoft-Windows-Windows Defender/Operational]

index = windefender

disabled = false

evt_resolve_ad_obj = 1"

This has worked flawlessly for years until this week when I started to NOT receive any updates from that log until restart of the Universal Forwarder.

At first I thought it had something to do with that we had updated all UFs to 8.2.2 too but today when I did some investigation I also noticed that one of the UF wasn't updated and still used version 7.2.
So my guess is that it has something to to with the splunk enterprise installation/upgrade (upgraded to 8.2.2 for about 1½weeks ago. from 7.4).

Its not that the forwarder stops completely because I still receive logging from the Security, System etc. logs in the event viewer.

It seems to just be the "defender" log and when I do a restart of the splunk service it will start to send again.


Have I missed something or should I put an ticket to splunk?

Labels (3)
0 Karma

mhoogcarspel_sp
Splunk Employee
Splunk Employee

I only just seen this post, but this issue has been reported and is being investigated (ticket with Splunk Engineering SPL-212687)

As far as I understand this is specific to Defender (and potentially some specific versions) and at least known to be  triggered by a cleanup task that defender has in the Task Scheduler:
Task Scheduler -> Task Scheduler Library -> Microsoft -> Windows -> Windows Defender -> Windows Defender Cache Maintenance


0 Karma

hsynli
New Member

Has there been an update and/or resolution to this issue? Or do we know the root of the issue? I have a similar, most probably the same issue. It seems to me Splunk forwarder stops sending logs when the defender platform or engine is updated (event codes 2002 and 2014, but not limited to). Logs start being sent to Splunk as soon as the splunkforwarder is restarted.

0 Karma

mhoogcarspel_sp
Splunk Employee
Splunk Employee

@hsynli wrote:

Has there been an update and/or resolution to this issue? Or do we know the root of the issue? I have a similar, most probably the same issue. It seems to me Splunk forwarder stops sending logs when the defender platform or engine is updated (event codes 2002 and 2014, but not limited to). Logs start being sent to Splunk as soon as the splunkforwarder is restarted.


That matches the issue.

Fixed in 8.2.7 and above, and also in 9.0.0 and abovehttps://docs.splunk.com/Documentation/Splunk/8.2.7/ReleaseNotes/Fixedissues#Universal_forwarder_issu...

 

0 Karma
Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...