Deployment Architecture

After Upgrade to 8.2.2, "WinEvent -> Defender" log stops receiving / sending

PatrikL
New Member

Hi!

I've set up the following "app" to be delployed on my Universal Forwarders for windows:

"[WinEventLog://Microsoft-Windows-Windows Defender/Operational]

index = windefender

disabled = false

evt_resolve_ad_obj = 1"

This has worked flawlessly for years until this week when I started to NOT receive any updates from that log until restart of the Universal Forwarder.

At first I thought it had something to do with that we had updated all UFs to 8.2.2 too but today when I did some investigation I also noticed that one of the UF wasn't updated and still used version 7.2.
So my guess is that it has something to to with the splunk enterprise installation/upgrade (upgraded to 8.2.2 for about 1½weeks ago. from 7.4).

Its not that the forwarder stops completely because I still receive logging from the Security, System etc. logs in the event viewer.

It seems to just be the "defender" log and when I do a restart of the splunk service it will start to send again.


Have I missed something or should I put an ticket to splunk?

Labels (3)
0 Karma

mhoogcarspel_sp
Splunk Employee
Splunk Employee

I only just seen this post, but this issue has been reported and is being investigated (ticket with Splunk Engineering SPL-212687)

As far as I understand this is specific to Defender (and potentially some specific versions) and at least known to be  triggered by a cleanup task that defender has in the Task Scheduler:
Task Scheduler -> Task Scheduler Library -> Microsoft -> Windows -> Windows Defender -> Windows Defender Cache Maintenance


0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!