Missed Events

I have a situation where we are receiving Windows Event ID 3000 sometimes but not other times. This is very problematic, as the event is used to troubleshoot process exits. The endpoint uses Windows Event Forwarding (WEF) to send logs to a server running both Windows Event Collector (WEC) and Winlogbeat. Winlogbeat collects the forwarded events and sends on to ES. The WEC configuration uses source-initiated subscriptions, one of which is set up to receive all events from the Windows Application event channel (which includes EID 3000). As I mentioned, that event comes through sometimes, but not always. Any suggestions on how to troubleshoot this are much appreciated!

...alternatively - if this can't be solved - how do I ensure a specific EID is sent to ES and never missed?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.