Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

After Upgrade to 8.2.2, "WinEvent -> Defender" log stops receiving / sending

PatrikL
New Member
‎09-10-2021 01:53 AM

Hi!

I've set up the following "app" to be delployed on my Universal Forwarders for windows:

"[WinEventLog://Microsoft-Windows-Windows Defender/Operational]

index = windefender

disabled = false

evt_resolve_ad_obj = 1"

This has worked flawlessly for years until this week when I started to NOT receive any updates from that log until restart of the Universal Forwarder.

At first I thought it had something to do with that we had updated all UFs to 8.2.2 too but today when I did some investigation I also noticed that one of the UF wasn't updated and still used version 7.2.
So my guess is that it has something to to with the splunk enterprise installation/upgrade (upgraded to 8.2.2 for about 1½weeks ago. from 7.4).

Its not that the forwarder stops completely because I still receive logging from the Security, System etc. logs in the event viewer.

It seems to just be the "defender" log and when I do a restart of the splunk service it will start to send again.


Have I missed something or should I put an ticket to splunk?

Labels (3)
0 Karma
Reply

mhoogcarspel_sp
Splunk Employee
Splunk Employee
‎01-19-2022 02:50 AM

I only just seen this post, but this issue has been reported and is being investigated (ticket with Splunk Engineering SPL-212687)

As far as I understand this is specific to Defender (and potentially some specific versions) and at least known to be  triggered by a cleanup task that defender has in the Task Scheduler:
Task Scheduler -> Task Scheduler Library -> Microsoft -> Windows -> Windows Defender -> Windows Defender Cache Maintenance


0 Karma
Reply
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...

Reminder! Splunk Love Promo: $25 Visa Gift Card for Your Honest SOAR Review With ...

We recently launched our first Splunk Love Special, and it's gone phenomenally well, so we're doing it again, ...