Hi all,
I am running a 3 node Log Insight cluster version 3.0.0-3021606. Been very happy with it.
I have windows agents on our domain controllers sending the event logs in to the load balanced IP. Connectivity is fine. I am able to parse the security event log for the most part, but here is the problem.
Up until recently I was using this to filter on a specific security event ID (5136) and notify me. Worked great. I changed nothing and just let it ride.
It now appears that much of the data stored for this specific event ID is no longer there. Let me see if I can clarify.
If I look at the servers, the event log has all the data in it I would expect.
If I look at Log Insight analytics, there is practically nothing. Only a single field from the event (named 'DS Type'). Again, this worked fine several weeks ago but no longer does.
I have not yet upgraded the Log Insight version or patched it recently etc.
I have removed any other line from the filter, just show me event ID 5136 on anything. Same thing, just the one field. There are many DCs logging to Log Insight. All the data is effectively missing from all of them for this event.
I do have an alert tied to this filter but that's not new.
I am able to view the data from many other event IDs in the security event log such as 4624 and 4634 and they look great, however this 5136 is just not working.
The Log Insight agent log on the DC itself reports no dropped events. Indeed the analytics filter shows the 5136 events just not much in them.
I am probably not going to post proof of security events in this forum but if I can clarify my explanation or show a log, I will be happy to.
Thanks for any input!
Charlie