One of our DNS servers running a universal forwarder, suddenly stopped sending Windows Event logs to our indexers.
DNS events are still being forwarded.
Hi dillardo_2,
when the UF sends some data and drops some other, the most likely cause is that the missing input is either misconfigured or that the splunk user has no access to the resources being monitored. From your post I take it was running and I assume that nobody set disabled=1 in the inputs.conf just to play you a joke. My first guess would be that some group policies changed the access to the local logs for the splunk user (or the local admin group). Have the GPOs been changed lately or have you changed splunk to run as user with limited access rigths?
The second guess after that would be an update to Windows by Microsoft that enforces different policies on some resources. In that case I'd re-test with the latest version of the UF for Windows. In order to validate the case, check the software installation logs on windows and check the local audit logs on Windows for any access violations or errors. You may have to step up the audit level in order to see it.
Hope it helps.
Oliver
Hi dillardo_2,
when did Windows Events Log stop to arrive? before or after 30th of september?
if you received events until 30th of september and not october events, see in events of 10th of april if there are your october events, if yes this means that there's an error in timestamp parsing (Splunk confuses month and day).
When stopped, you don't see events, but if you search yesterday events, do you have results?
if yes, probably there's a network congestion so UF sends part of logs with delay, you can check delay with this search:
index=wineventlog
| eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S%3N"), diff=_indextime-_time
| table _time indextime diff
If none of these conditions, please share more information.
Bye.
Giuseppe
Hi @gcusello, thanks for your response. Events stopped on 10/4 on only this DNS server. We have a second DNS server that is forwarding events just fine. It appears to be isolated to this one DNS server.