VMware Cloud Community
JustenC
Enthusiast
Enthusiast
‎05-05-2016 01:08 PM

Windows security event log

Hi all,

I am running a 3 node Log Insight cluster version 3.0.0-3021606. Been very happy with it.

I have windows agents on our domain controllers sending the event logs in to the load balanced IP. Connectivity is fine. I am able to parse the security event log for the most part, but here is the problem.

Up until recently I was using this to filter on a specific security event ID (5136) and notify me. Worked great. I changed nothing and just let it ride.

It now appears that much of the data stored for this specific event ID is no longer there. Let me see if I can clarify.

If I look at the servers, the event log has all the data in it I would expect.

If I look at Log Insight analytics, there is practically nothing. Only a single field from the event (named 'DS Type'). Again, this worked fine several weeks ago but no longer does.

I have not yet upgraded the Log Insight version or patched it recently etc.

I have removed any other line from the filter, just show me event ID 5136 on anything. Same thing, just the one field. There are many DCs logging to Log Insight. All the data is effectively missing from all of them for this event.

I do have an alert tied to this filter but that's not new.

I am able to view the data from many other event IDs in the security event log such as 4624 and 4634 and they look great, however this 5136 is just not working.

The Log Insight agent log on the DC itself reports no dropped events. Indeed the analytics filter shows the 5136 events just not much in them.

I am probably not going to post proof of security events in this forum but if I can clarify my explanation or show a log, I will be happy to.

Thanks for any input!

Charlie

Labels (1)
Labels
0 Kudos
7 Replies
admin
Immortal
Immortal
‎05-05-2016 01:43 PM

Is it possible that your data got recycled out and archived? If your rate of ingestion is high events might have recycled out or archived.

0 Kudos
JustenC
Enthusiast
Enthusiast
‎05-17-2016 09:56 AM

It shows up this way even if I choose last 5 minutes. There is at least a weeks space in the environment.

0 Kudos
admin
Immortal
Immortal
‎05-17-2016 10:23 AM

If you send me an email id we could webex perhaps?

0 Kudos
JustenC
Enthusiast
Enthusiast
‎05-17-2016 11:52 AM

Sure thank you!  but cant do much until after lunch tomorrow. Is there a way to PM you here? I don't mind putting in my email but was going to try PM first. I'll 'follow' you and see if it gives me a PM also.

0 Kudos
admin
Immortal
Immortal
‎05-20-2016 09:18 AM

Can you please mark this question as answered , when you get a chance to? Thanks!.

0 Kudos
JustenC
Enthusiast
Enthusiast
‎05-20-2016 10:22 AM

OK that should be done. Thank you again!

the answer for anyone else is that it appears a reboot of the DC the logs were coming from may have resolved the issue.

0 Kudos
admin
Immortal
Immortal
‎05-20-2016 10:24 AM

Thanks!

0 Kudos