Hi All,

Currently one of the windows user contacted us and informed  that he could notice that Splunk UF agent is failing frequently in his machine.

When investigated the issue, we could see the following error details in Splunk _internal logs. 

Component= ExecProcessor
=========================
01-17-2022 09:22:11.436 +0000 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" ERROR splunk-winevtlog - WinEventLogChannel::~WinEventLogChannel: Failed to checkpoint for channel='Windows PowerShell'
01-17-2022 09:22:11.436 +0000 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" ERROR splunk-winevtlog - WinEventLogChannel::saveBookMark: Failed to update Windows Event Log bookmark, channel='Windows PowerShell
01-17-2022 09:22:11.436 +0000 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" ERROR splunk-winevtlog - WinEventLogChannel::~WinEventLogChannel: Failed to checkpoint for channel='Security'

component=AuthenticationManagerSplunk
=========================================
01-17-2022 09:22:19.839 +0000 ERROR AuthenticationManagerSplunk - Either password or seed file not found! No users configured!

component=Metrics
====================
01-17-2022 09:22:20.245 +0000 ERROR Metrics - Metric with name thruput:idxSummary already registered

component=TcpOutputFd
======================
01-17-2022 04:45:00.175 +0000 ERROR TcpOutputFd - Read error. An existing connection was forcibly closed by the remote host.

component=PipelineComponent
=============================
01-17-2022 05:21:48.213 +0000 ERROR PipelineComponent - Monotonic time source didn't increase; is it stuck?

component=FileClassifierManager
==================================
01-17-2022 09:22:23.780 +0000 WARN FileClassifierManager - The file 'C:\Program Files\SplunkUniversalForwarder\var\log\splunk\C__Program Files_SplunkUniversalForwarder_bin_splunk-winevtlog_exe_crash-2021-08-13-08-22-30.dmp' is invalid. Reason: binary

component=TailReader
==========================

01-17-2022 09:22:23.780 +0000 INFO TailReader - Ignoring file 'C:\Program Files\SplunkUniversalForwarder\var\log\splunk\C__Program Files_SplunkUniversalForwarder_bin_splunk-winevtlog_exe_crash-2021-08-13-08-22-30.dmp' due to: binary

component=WatchedFile
==========================

01-17-2022 09:22:23.498 +0000 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='C:\Program Files\SplunkUniversalForwarder\var\log\splunk\C__Program Files_SplunkUniversalForwarder_bin_splunk-winevtlog_exe_crash-2021-10-01-08-22-12.log'.

I have checked the truncate value and found all are within the control limit except the below sourcetype 

Default Value is set to 10000 

Splunk Agent version is 7.0 

Splunk Enterprise indexer version is 8.2.2 

Please guide me what kind of troubleshooting steps needs to taken in-order to resolve this issue.