Hi all, I have migrated a 9.0.4 HF from a Windows Server 2012 to a Window server 2022. The original connector was working fine, while the new one (with the same settings) keeps crashing. This is the error I got almors every minute on Application event viewer: Faulting application name: splunk-winevtlog.exe, version: 2305.256.25832.56887, time stamp: 0x64e8dfcc Faulting module name: ntdll.dll, version: 10.0.20348.1970, time stamp: 0x31881ea2 Exception code: 0xc0000374 Fault offset: 0x0000000000104909 Faulting process id: 0x1304 Faulting application start time: 0x01d9ed2bd5be870c Faulting application path: C:\Program Files\Splunk\bin\splunk-winevtlog.exe Faulting module path: C:\Windows\SYSTEM32\ntdll.dll Report Id: 45c2b6fd-2c6e-484d-9602-eb948052101d Faulting package full name: Faulting package-relative application ID: I tried to upgrade the HF to version 9.0.6 and then to version 9.1.1 but the error persist. It seems to be caused by the inputs configured on Splunk_TA_windows (version 8.7.0 installed). This is the enabled inputs that cause the issue: [WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)" blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)" blacklist3 = 4656,4658,4690,5031,5140,5150,5151,5154,5155,5156,5157,5158,5159 renderXml = false index = wineventlog ###### Forwarded WinEventLogs (WEF) ###### [WinEventLog://ForwardedEvents] disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 ## The addon supports only XML format for the collection of WinEventLogs using WEF, hence do not change the below renderXml parameter to false. renderXml = true host = WinEventLogForwardHost index = wineventlog The only solution I found is to disable the ForwardedEvents input. This way the HF works as expected. I also tried to set current_only=1 on that input with no luck. Does anyone knows if it's a know issue and how to troubleshoot this? Regards Alessandro
... View more