I have searched the Answers site and cannot find an answer to why I get log off events, but intermittently am missing log on events in Splunk.
This is a big problem for us and I have opened a ticket with Splunk Support but that also went nowhere and am hoping someone has had this issue and found a cause/fix.
We on occasion see log off events, but cannot find the log on event anywhere. We do have a product called Adiscon that also grabs event log entries and it always has both events. We are using the Splunk_TA_Windows add-on with the following settings:
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist = 560,562,565-567,4656-4658,4661-4663,4928-4934
index = wineventlog
renderXml=false
Hoping someone can help.
↧