@PickleRick the events are in the Security eventlog which other than the event IDs related to cert services e.g. 4876, 4877, 4885, 4886, 4887, 4888, 4889 can be seen in Splunk. All these event IDs are whitelisted for the WinEventLog security channel in the inputs.conf

Question is whether you don't blacklist them (to be honest, I don't remember how whitelist/blacklist interact - which one prevails).

And about the thruput issue - it shouldn't drop events selectively - it would throttle output which in turn would throttle input so you would have a (possibly huge) lag ingesting events from this UF but it shouldn't just drop events.

Dropping events could occur in an extreme case if you lagged so much that windows rotated the underlying event log so that the UF couldn't read the events from a saved checkpoint. But that's relatively unlikely and you'd notice that becuse this UF would have been significantly delayed already.

@PrewinThomas need to be capturing all event IDs associated with cert services, however for testing purposes was looking specifically for 4876, 4877. And yes the CA server is running universal forwarder.

Unsure how to check if Splunk is dropping high-volume events so if you could point me in the right direction for that I will check on that , however looking at the event logs on the CA server would not say these events are particularly high-volume <100 in the past week across all the events for cert services.

@n_hoh 
Can you share your inputs.conf and event flow(like UF->HF->Idx)