Hello Guys,
I have a bit of a curious case and it is really bugging our production environment. I have deployed around 12 Windows UF to monitor Security event logs within AD servers which are located behind a firewall. The version of the UFs is 5.0.2 currently and I have set the input and output configurations using a deployment server.
From the first deployment, I could see all 12 servers are sending the logs just fine. After several hours, the number of servers dropped to 7. The drop sequence continue until no server is sending logs at all.
I tried to use just a single server as a test project and I found that the server is only sending logs for about 3 - 4 hours max before stopped sending completely. No errors or warnings found within splunkd.log of the forwarder and my indexer. The splunkd.log's entries were only "Connected to ...." and "... phone home ....". I also did not see any blocking event from metrics.log
My configurations are like this:
**inputs.conf**
[WinEventLog://Security]
disabled = 0
index = app_ad
sourcetype = tseladscrt
start_from = oldest
current_only = 0
_TCP_ROUTING = loadheavyfwd
**outputs.conf**
[tcpout:loadheavyfwd]
compressed = true
server = :9997
sslCertPath = D:\Program Files\SplunkUniversalForwarder\etc\auth\cert.pem
sslPassword = xxxxxxxxxxxxx
sslRootCAPath = D:\Program Files\SplunkUniversalForwarder\etc\auth\CoreCA.pem
sslVerifyServerCert = true
Where should I start to troubleshoot?
Thank you.
↧
