Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Windows Event Log reduction after patching?

Splunk_user77
New Member
‎08-26-2022 06:13 AM

Good morning.

We have been tracking a recent reduction in our log ingest rate. After a myriad of searching, it appears that the reduction in xml Win Event Logs occurred the same week that windows patching occurred in July of 2022. We are down by approximately 10%, maybe a little less than that. We have noted that the xml wineventlogs appears to be the only index affected.

I'm concerned because this could indicate:

  1. Patching broke logging on the windows systems and we aren't getting everything we used to or should
  2. Patching made logging more efficient and we are getting the same or better/more data with less overall size
  3. Something else could be broken within Splunk itself and this is the only indication

We opened an on-demand case and they found nothing wrong. We opened a support case and they told us what we could see for ourselves in the cloud monitoring console. We've continued to search and investigate, and our working theory is that patching affected the logging. We now need to know if it's a good thing (number 2) or a bad thing (number 1).

My question is - has anyone else noticed a drop in xmlwineventlog volume over the last few months?

Thanks in advance.

Labels (1)
Labels
0 Karma
Reply

Azeemering
Builder
‎08-30-2022 12:24 PM

Hi,

The reduction of this can have many different reasons, but you need to pinpoint what exactly changed.

- Are all hosts patched and are all reporting and running the UF properly?

- Can you pinpoint the reduction to System / Application or Security windows events? (source in splunk)

- Do all hosts have the same amount of reduction of event logs sent to splunk?

- Look at the windows eventcodes; Do a before and after count of the different eventcodes. Can you pinpoint a difference to a specific eventcode?

Just troubleshoot step by step. Happy to help and think with you for next steps.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...