We seem to be dropping events?
We are currently using Windows Event collectors on our Servers and Workstations and are missing events.
I found this link: Windows Event Forwarding and they say to use the UF ?
Has anyone else had problems using Windows Event Forwarding?
We were able to leverage our Windows Event Collectors. We added this to the TA-Windows inputs.conf settings.
[WinEventLog://Forwarded Events]
suppress_checkpoint = true
suppress_sourcename=true
suppress_keywords=true
suppress_type=true
suppress_task=true
suppress_opcode=true
suppress_text=true
use_threads=7
We were able to leverage our Windows Event Collectors. We added this to the TA-Windows inputs.conf settings.
[WinEventLog://Forwarded Events]
suppress_checkpoint = true
suppress_sourcename=true
suppress_keywords=true
suppress_type=true
suppress_task=true
suppress_opcode=true
suppress_text=true
use_threads=7
I typically recommend the UF on Windows servers. It makes monitoring for problems much easier, such as systems that have stopped sending any data.
As for workstations, that may be a bit stickier, but if your number of workstations is small, a UF is hardly outrageous compared to many other agents I've seen on workstations. The major question to ask yourself is what happens when that workstation (which includes laptops presumably) goes home and then is brought online?
As far as workstations,we have around 4,000. Mixture of physical, persistent and non-persistent vdi.
With a moderate number of workstations like that, the downside of a forwarder is you know when they stop reporting in. The upside is you know when they stop reporting in. VDI are typically considered more transitory, less permanent, so a forwarder does make less sense. You may need to consider a different solution for each technology type.
Some have had luck with a syslog daemon on Windows to forward log events.
There really is not a single best answer in my view. Each technology has advantages. Forwarders are easier to monitor, harder to deal with systems that are expected to come up and down regularly, but also deal surprisingly well with network disconnects. Event forwarders are simple, but as you've seen, not well known for reliability. Some use syslog or other protocols to introduce more answers.