@livehybrid  The 4624s are the ones that made me realize there was an issue

These are the events being forwarded by the "good" devices (forwarding 4624s) 

These are the only events being forwarded by the "other" devices

If your whole logs are not being forwarded, not just selected events, it suggests some permission issue. Probably either the user your forwarder runs under is not a member of the right group or you have some different policy applied on those UFs which doesn't grant sufficient rights to event logs. (or someone edited ACLs on logs only on some endpoints). That's something I would be troubleshooting with my local windows/AD guru.

Some devices are forwarding all windows events and some are not. Checked confs and they are identical in both instances.

As I said - it's not about the difference in UF's configuration. It's probably at the OS-level. The user under which the UF's splunkd.exe process is being run does not have the right to read the event logs. After you restart the UF you should get messages (I don't remember if those are warnings or errors) about the input not being able to subscribe to specific event logs.

Hey PickeRick

In both instances, the messages are consistent

Checking conf files for problems... Done Checking default conf files for edits... Validating installed files against hashes from 'C:\Program Files\SplunkUniversalForwarder\splunkforwarder-10.2.2--windows-x64-manifest' All installed files intact. Done All preliminary checks passed. Starting splunk server daemon (splunkd)... SplunkForwarder: Starting (pid 32356) Done

But that is not what I was talking about. What you're pasting is the messages Splunk service emits on stdout or stderr when you're starting it. I was talking about the messages which the forwarder writes to splunkd.log (and susbsequently picks up with monitor input and sends to the indexers). Those messages might contain a hint about why the event logs are not read.

As I wrote before, the probable cause is that the splunkd.exe process is not able to subscribe to the event log channel(s). It has nothing to do with the forwarder's config itself (the files in $SPLUNK_HOME\etc), but it depends on the user the splunkd.exe is run from.

It's an issue with the OS configuration regarding this user and is a fairly common thing - the user which the Splunk Universal Forwarder service is running as must have appropriate permissions granted on the operating system level (either manually or via GPO) to be able to access some of the event log channels.

Hey @livehybrid we are migrated to splunk cloud a couple of months ago so we have ufs sending directly to the cloud. All configs are the same, and yes, I do see security events from the endpoints directly for both instances. We have a DS pushing content.