You can setup an alert to detect certain machines are having issues because they re-ingested logs again


#1

Occasionally we have issues where a Windows installed collector will (re)forward old logs that occurred days ago. This typically happens if

  1. the collector wasn’t shut down cleanly

  2. the collector service gets hung and then is restarted. When this happens we get a flood of logs, we exceed our limit for the day, and then we can’t find the culprit because the log times skewed (and I forget to check use receipt time). This query alerts me that certain host are sending OLD logs.


#2

Hi @Will, for scenarios as mentioned above, whenever logs of old time stamp are forwarded, the field SystemTStamp will display the actual date-time stamp as to when the event was generated. As far as log event volume is concerned, if load balancing capabilities exists for the Adapter along with sufficient RAM and storage, then there shouldn’tbe problem.

Load balancing configurations should always be in place, if such scenarios and high Event Per Second(EPS) is expected :grin: