Since the Windows Event Viewer archives and generates a new log at 20MB (its maximum capacity), is there a risk that the Windows monitor would fail to consume an event if the events are being generated at a very quick pace? In other words, the creation of windows event logs is outpacing the Splunk monitor. For example, say your Windows server is generated X kb of Windows Security Events per second, but the splunk monitor can only consume X - 1 kb events per second, by the time the log hits 20MB and is archived, the splunk monitor has failed to consume all 20MB, so in theory I am missing some events. Is this a possibility?
asked 03 Apr '12, 08:18
This does not directly address your question, but if this does become an issue, you may be able to switch from archiving events, to 'overwrite events older than X days' and increasing the log size so it has time to pull. Although, I don't think you'll have that issue, I just don't have any proof to support it. Just a suggestion though.
answered 03 Apr '12, 14:06