Good morning.
We have been tracking a recent reduction in our log ingest rate. After a myriad of searching, it appears that the reduction in xml Win Event Logs occurred the same week that windows patching occurred in July of 2022. We are down by approximately 10%, maybe a little less than that. We have noted that the xml wineventlogs appears to be the only index affected.
I'm concerned because this could indicate:
We opened an on-demand case and they found nothing wrong. We opened a support case and they told us what we could see for ourselves in the cloud monitoring console. We've continued to search and investigate, and our working theory is that patching affected the logging. We now need to know if it's a good thing (number 2) or a bad thing (number 1).
My question is - has anyone else noticed a drop in xmlwineventlog volume over the last few months?
Thanks in advance.
Hi,
The reduction of this can have many different reasons, but you need to pinpoint what exactly changed.
- Are all hosts patched and are all reporting and running the UF properly?
- Can you pinpoint the reduction to System / Application or Security windows events? (source in splunk)
- Do all hosts have the same amount of reduction of event logs sent to splunk?
- Look at the windows eventcodes; Do a before and after count of the different eventcodes. Can you pinpoint a difference to a specific eventcode?
Just troubleshoot step by step. Happy to help and think with you for next steps.