Getting Data In

Forwarders on Win 2008 SP1 stop forwarding events

Path Finder

We're noticing that all of our Windows 2008 SP1 machines stop forwarding events from the security event log over the weekend. This appears to coincide with our EventArchiver process rotating/clearing the logs locally on the systems. This problem does not occur with XP, 2008 R2, or Windows 7 environments. Searching around I found something that appears to be similar at:

http://splunk-base.splunk.com/answers/3456/windows-event-logs-stop-forwarding-why

but it was from over a year ago. Does anyone know if that particular thread still applies to current (4.2.2) forwarders? Events do not get sent on until the universal forwarder service gets stopped/started manually.

0 Karma

Path Finder
0 Karma