Splunk Enterprise

Windows event logs missing

naagaraj
Engager

Hi All,

 

We are trying to monitor windows event logs from multiple systems by installing forwarders on individual machines and the logs are forwarded to a centralized splunk instance. 

During network outage/disconnection of internet in the individual systems, the event codes (4800 and 4801) are not getting captured in Splunk.

 

Below is the input.conf  we are using

[WinEventLog://Security]
checkpointInterval = 5
current_only = 0
disabled = 0
index = test_events
start_from = oldest
whitelist = 4624,4634,4800,4801

 

Could you please help us out.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...