I've got an issue with some events we are receiving from multiple Active Directory hosts. Sometimes, the events break at random times. I've tried looking for a similar regex that might match where they are breaking, but I've found nothing.
These hosts are all forwarding to a collector, which in turns forwards it to our 3 grouped indexers via a TCP port.
98% of my events are breaking correctly by the timestamp, but every now and then I get an event like this:
11/06/2012 07:42:02 AM
LogName=Sec
11/06/2012 07:15:43 AM
LogName=Secur
Also, when I view the raw source for the events, those are the exact lines that are in the source as well.
Not even entirely sure where to begin troubleshooting this. Could it be a props.conf issue? If yes, why is it only happening sometimes? Why only on certain hosts?
Could it be TCP related?
Any help on where to start looking would be appreciated.
Just going through my old questions and answering any unanswered ones.
This issue was pretty much TCP related with faulty switching hardware to blame.
Not sure why useACK didn't solve the problem though, but after fixing the hardware, the problem went away.
Just going through my old questions and answering any unanswered ones.
This issue was pretty much TCP related with faulty switching hardware to blame.
Not sure why useACK didn't solve the problem though, but after fixing the hardware, the problem went away.