Missing Windows Event Logs?

Since the Windows Event Viewer archives and generates a new log at 20MB (its maximum capacity), is there a risk that the Windows monitor would fail to consume an event if the events are being generated at a very quick pace? In other words, the creation of windows event logs is outpacing the Splunk monitor. For example, say your Windows server is generated X kb of Windows Security Events per second, but the splunk monitor can only consume X - 1 kb events per second, by the time the log hits 20MB and is archived, the splunk monitor has failed to consume all 20MB, so in theory I am missing some events. Is this a possibility?

asked 03 Apr '12, 08:18

carmackd
488●3●3●23
accept rate: 22%

Can you describe the input you've got configured? Are you writing event logs to a file, or polling via WMI?

(03 Apr '12, 09:51) jbsplunk ♦

One Answer:

oldest newest most voted

This does not directly address your question, but if this does become an issue, you may be able to switch from archiving events, to 'overwrite events older than X days' and increasing the log size so it has time to pull. Although, I don't think you'll have that issue, I just don't have any proof to support it. Just a suggestion though.

link

answered 03 Apr '12, 14:06

jsb22
152●7
accept rate: 17%

Post your answer

toggle preview

Follow this question

Email:

RSS:

Answers

Answers + Comments

Markdown Basics

*italic* or _italic_
**bold** or __bold__
link:[text](http://url.com/ "Title")
image?![alt text](/path/img.jpg "Title")
numbered list: 1. Foo 2. Bar
to add a line break simply add two spaces to where you would like the new line to be.
basic HTML tags are also supported

learn more about Markdown

Tags:

inputs.conf ×150
windows-event-logs ×145
monitoring ×141

Asked: 03 Apr '12, 08:18

Seen: 733 times

Last updated: 03 Apr '12, 14:06

Missing Windows Event Logs?

Follow this question

Splunk Resources

Related questions