We have 5 indexers and a standalone search head with no cluster configuration. Recently, we have observed that the WinEventLog: Security logs are not indexing properly and there seems to be a huge delay in indexing them.
However, the other wineventlogs such as Application & System logs are indexing as expected. There is no recent change for this on the universal forwarder (UF) nor on the indexer. We tried to check one incident for which we have not received any logs (log was in the server) then this issue came to know.
We have Splunk 6.6.2 installed on both the UF & indexers. Any idea what could be causing the issue?
↧