We're noticing that all of our Windows 2008 SP1 machines stop forwarding events from the security event log over the weekend. This appears to coincide with our EventArchiver process rotating/clearing the logs locally on the systems. This problem does not occur with XP, 2008 R2, or Windows 7 environments. Searching around I found something that appears to be similar at:
http://splunk-base.splunk.com/answers/3456/windows-event-logs-stop-forwarding-why
but it was from over a year ago. Does anyone know if that particular thread still applies to current (4.2.2) forwarders? Events do not get sent on until the universal forwarder service gets stopped/started manually.
I've had the similar problem there http://splunk-base.splunk.com/answers/27441/forwarder-doesnt-collect-or-pull-data-after-some-time