I have recently started upgrading Windows universal forwarders from 6.0.3 to 6.2.6. After I upgrade them they seem to be resending the entire Windows Security log (2GB) instead of continuing where they left off. I can see the evidence of this by viewing the index data amount from the host staring after they are upgraded and by doing a report on Windows Security Events and seeing that there are multiple events with the same RecordNumber field.
Now I could modify my install script to drop the Security log, upgrade the software and avoid the licensing issues this is causing, but I'd prefer to get to the root cause.
Has anyone seen this?
↧