Hi! I've set up the following "app" to be delployed on my Universal Forwarders for windows: "[WinEventLog://Microsoft-Windows-Windows Defender/Operational] index = windefender disabled = false evt_resolve_ad_obj = 1" This has worked flawlessly for years until this week when I started to NOT receive any updates from that log until restart of the Universal Forwarder. At first I thought it had something to do with that we had updated all UFs to 8.2.2 too but today when I did some investigation I also noticed that one of the UF wasn't updated and still used version 7.2. So my guess is that it has something to to with the splunk enterprise installation/upgrade (upgraded to 8.2.2 for about 1½weeks ago. from 7.4). Its not that the forwarder stops completely because I still receive logging from the Security, System etc. logs in the event viewer. It seems to just be the "defender" log and when I do a restart of the splunk service it will start to send again. Have I missed something or should I put an ticket to splunk? ... View more