What could be the possible reason that Windows security logs are not coming from the forwarders?
How do I troubleshoot it?
Please let me know if you need any additional information.
There are few more likely reasons.
1) The forwarders are not running
2) A firewall/networking change is preventing the forwarders from communicating with the indexers
3) SSL certificates have expired
You should find clues in Splunk's log files. Search index=_internal group=tcpin_connections.
View solution in original post