Getting Data In

Forwarders on Win 2008 SP1 stop forwarding events

chadroberts
Path Finder

We're noticing that all of our Windows 2008 SP1 machines stop forwarding events from the security event log over the weekend. This appears to coincide with our EventArchiver process rotating/clearing the logs locally on the systems. This problem does not occur with XP, 2008 R2, or Windows 7 environments. Searching around I found something that appears to be similar at:

http://splunk-base.splunk.com/answers/3456/windows-event-logs-stop-forwarding-why

but it was from over a year ago. Does anyone know if that particular thread still applies to current (4.2.2) forwarders? Events do not get sent on until the universal forwarder service gets stopped/started manually.

0 Karma

Vladimir
Path Finder
0 Karma
Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...