This has worked flawlessly for years until this week when I started to NOT receive any updates from that log until restart of the Universal Forwarder.
At first I thought it had something to do with that we had updated all UFs to 8.2.2 too but today when I did some investigation I also noticed that one of the UF wasn't updated and still used version 7.2. So my guess is that it has something to to with the splunk enterprise installation/upgrade (upgraded to 8.2.2 for about 1½weeks ago. from 7.4).
Its not that the forwarder stops completely because I still receive logging from the Security, System etc. logs in the event viewer.
It seems to just be the "defender" log and when I do a restart of the splunk service it will start to send again.
Have I missed something or should I put an ticket to splunk?