Hi All,
We are trying to monitor windows event logs from multiple systems by installing forwarders on individual machines and the logs are forwarded to a centralized splunk instance.
During network outage/disconnection of internet in the individual systems, the event codes (4800 and 4801) are not getting captured in Splunk.
Below is the input.conf we are using
[WinEventLog://Security]
checkpointInterval = 5
current_only = 0
disabled = 0
index = test_events
start_from = oldest
whitelist = 4624,4634,4800,4801
Could you please help us out.