We are currently forwarding Windows logs to third party siem and logstash but there is problem. Looks like third party receiving receiving only 50% of logs although we are forwarding all logs. Firewall rules are in place to forward and receive logs.
Data flow is as below:
Splunk Universal forwarder --->Splunk HWF ---->Third party using UDP via syslog.
Thanks for the suggestion.I have added [WinEventLog:Application], [WinEventLog:System] to config but their overall count as comapare dto security logs is 1% only..so issue stil continues i.e. stilwe are receiving 505 logs at third party 😞
Yes. I am sure it's UDP syslog.At the destination we are listening for UDp traffic only.We are receiving the UDP traffic at destination.The problem is we receiving approximately 50% of logs .I also searched for any logs with keyword blocked=true (metric.log in SPlunk),but no results.