This has worked flawlessly for years until this week when I started to NOT receive any updates from that log until restart of the Universal Forwarder.
At first I thought it had something to do with that we had updated all UFs to 8.2.2 too but today when I did some investigation I also noticed that one of the UF wasn't updated and still used version 7.2. So my guess is that it has something to to with the splunk enterprise installation/upgrade (upgraded to 8.2.2 for about 1½weeks ago. from 7.4).
Its not that the forwarder stops completely because I still receive logging from the Security, System etc. logs in the event viewer.
It seems to just be the "defender" log and when I do a restart of the splunk service it will start to send again.
Have I missed something or should I put an ticket to splunk?
I only just seen this post, but this issue has been reported and is being investigated (ticket with Splunk Engineering SPL-212687)
As far as I understand this is specific to Defender (and potentially some specific versions) and at least known to be triggered by a cleanup task that defender has in the Task Scheduler: TaskScheduler->TaskSchedulerLibrary->Microsoft->Windows->WindowsDefender->WindowsDefenderCacheMaintenance