Getting Data In

Windows Event Log reduction after patching?

Splunk_user77
New Member

Good morning.

We have been tracking a recent reduction in our log ingest rate. After a myriad of searching, it appears that the reduction in xml Win Event Logs occurred the same week that windows patching occurred in July of 2022. We are down by approximately 10%, maybe a little less than that. We have noted that the xml wineventlogs appears to be the only index affected.

I'm concerned because this could indicate:

  1. Patching broke logging on the windows systems and we aren't getting everything we used to or should
  2. Patching made logging more efficient and we are getting the same or better/more data with less overall size
  3. Something else could be broken within Splunk itself and this is the only indication

We opened an on-demand case and they found nothing wrong. We opened a support case and they told us what we could see for ourselves in the cloud monitoring console. We've continued to search and investigate, and our working theory is that patching affected the logging. We now need to know if it's a good thing (number 2) or a bad thing (number 1).

My question is - has anyone else noticed a drop in xmlwineventlog volume over the last few months?

Thanks in advance.

Labels (1)
0 Karma

Azeemering
Builder

Hi,

The reduction of this can have many different reasons, but you need to pinpoint what exactly changed.

- Are all hosts patched and are all reporting and running the UF properly?

- Can you pinpoint the reduction to System / Application or Security windows events? (source in splunk)

- Do all hosts have the same amount of reduction of event logs sent to splunk?

- Look at the windows eventcodes; Do a before and after count of the different eventcodes. Can you pinpoint a difference to a specific eventcode?

Just troubleshoot step by step. Happy to help and think with you for next steps.

0 Karma
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...