For our office Disaster Recovery plan, we use Hyper-V replication to replicate our servers offsite. Yesterday we had a DR event and brought the replicas online. Two of the many servers decided to reindex their WinEventLog:Security events. It was only these two servers and only the WinEventLog:Security events that got reindexed.
Is there a way to prevent this from happening during a DR event? It pushed us over our licensing cap.
Forwarders are not aware of the data collected on other forwarders, (For log files, or wineventlogs etc..)
so to avoid indexing the same events twice, you can
- disable one input on one of the forwarder
- disable windows internal cloning of events logs between servers, or put them on different wineventlog groups, that you can decide which ones to monitor or not.
The replication I'm talking about is like taking a bit-by-bit clone of the drive, any changed done on the primary are replicated to the secondary. The secondary isn't even powered on or realizes it is a different machine when failed over.
This is also evident by the fact only one source, WinEventLog:Security, was reindexed. Also this is the only time reindexing has happened and we routinely perform testing on our DR plans, which includes failing over machines.