Good day,
We have one domain controller that is always about 5 hours behind in having the logs available in Splunk. This is our busiest domain controller and the security event log file is set to 1GB in size. We have already tuned the queue sizes on the heavy forwarders and indexers and all other events come in quickly, which makes us think the issue must be on the universal forwarder (latest version 6.3.2).
The output queues on the DC hovers around 200 KB/s, which makes us think that it's not working hard enough to parse the log file in time
Any suggestions?
↧