Splunk Cloud Platform

Logs from windows host stops all of a sudden

abhi04
Communicator

Hi All,

 

We have widnows event and other application logs ngested into splunk.

 

There is no problem with windows event logs but for our application related logs, the logs stop suddenly and starts reporting again but the log file in windows is being continuously updated with recent logs though the modified time does not get updated because of the windows feature. The modified time for the log file is not an issue because the logs starts rolling in even when the modified time is same but the log file had latest logs.

 

we are using splunk forwarder 9.0.4 version currently. Can someone please help in triaging this issue? It is a problem with only one specific source with this windows host and other sources (windows event logs) are flowing in properly.

Labels (1)
Tags (1)
0 Karma

abhi04
Communicator

Its the opposite for me, windows events are fine but application logs have problem, though, I will try upgrading the forwarder and check.

0 Karma

marnall
Motivator

Are you saying that all the Application logs are not forwarding, or just the application logs for a specific source?

There is a known issue with forwarder 9.0.4 where the event logs for Windows Defender will stop forwarding, (until next restart) but other logs will forward. Perhaps this issue is related.

https://docs.splunk.com/Documentation/Splunk/9.0.4/ReleaseNotes/KnownIssues

Could you try updating your forwarder version and seeing if it fixes the issue?

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...