Hello,
So recently I've been getting those errors followed obviously by a
disabling of the stream in question.
I wouldn't however expect this to happen since the rules are rather simple
(for WinEvents collected by sidecar):
- *EventID* must match exactly *4656*
- *SubjectUserName* must match regular expression *.*\$$*
- *EventType* must match exactly *AUDIT_FAILURE*
Regex debug returned either an immediate fail or a 6 step match depending
on the possible nature of '*SubjectUserName* ' within the timeframe the
issue occurred. (it, user1, admin, PC01$, Server02$)
What else could cause this to fail?
As a 'coincidence', the the journal filled up to maximum capacity (and
failed) really quickly during the same period due to spikes in events at
that time (expected) so I adjusted the journal
size, processbuffer_processors and outputbuffer_processors in hopes it will
solve that part.
However, can both events be related? If so, how? I'm not sure how the
journal issue can lead to the stream processing issue.
Thank you for your time.
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/36a7039f-5cd4-46d9-8688-f81c1c259a83%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
