We have a couple Windows Event Collectors which have between 4,000 and 6,000 Windows systems subscribed to them sending Event IDs 4688 (heavy hitter), 4698, and 4697s. For some reason the Universal Forwarder will stop sending the events to the Indexers, yet they are still being sent into the Forwarded Events from the other machines. Once I clear the Forwarded Events log it seems to kick Splunk into gear and start forwarding again. The Forwarder will then stop sending again, rinse and repeat.
I tried updating the forwarder to 6.5.0 but no luck :( the server is running Server 2012 R2.
↧