Hi!
I've set up the following "app" to be delployed on my Universal Forwarders for windows:
"[WinEventLog://Microsoft-Windows-Windows Defender/Operational]
index = windefender
disabled = false
evt_resolve_ad_obj = 1"
This has worked flawlessly for years until this week when I started to NOT receive any updates from that log until restart of the Universal Forwarder.
At first I thought it had something to do with that we had updated all UFs to 8.2.2 too but today when I did some investigation I also noticed that one of the UF wasn't updated and still used version 7.2.
So my guess is that it has something to to with the splunk enterprise installation/upgrade (upgraded to 8.2.2 for about 1½weeks ago. from 7.4).
Its not that the forwarder stops completely because I still receive logging from the Security, System etc. logs in the event viewer.
It seems to just be the "defender" log and when I do a restart of the splunk service it will start to send again.
Have I missed something or should I put an ticket to splunk?
I only just seen this post, but this issue has been reported and is being investigated (ticket with Splunk Engineering SPL-212687)
As far as I understand this is specific to Defender (and potentially some specific versions) and at least known to be triggered by a cleanup task that defender has in the Task Scheduler:
Task Scheduler -> Task Scheduler Library -> Microsoft -> Windows -> Windows Defender -> Windows Defender Cache Maintenance
Has there been an update and/or resolution to this issue? Or do we know the root of the issue? I have a similar, most probably the same issue. It seems to me Splunk forwarder stops sending logs when the defender platform or engine is updated (event codes 2002 and 2014, but not limited to). Logs start being sent to Splunk as soon as the splunkforwarder is restarted.
@hsynli wrote:Has there been an update and/or resolution to this issue? Or do we know the root of the issue? I have a similar, most probably the same issue. It seems to me Splunk forwarder stops sending logs when the defender platform or engine is updated (event codes 2002 and 2014, but not limited to). Logs start being sent to Splunk as soon as the splunkforwarder is restarted.
That matches the issue.
Fixed in 8.2.7 and above, and also in 9.0.0 and abovehttps://docs.splunk.com/Documentation/Splunk/8.2.7/ReleaseNotes/Fixedissues#Universal_forwarder_issu...