Hi,
We've deployed a windows event log forward/collector system. Currently, our DC have been forwarding Security events for almost 3 months.
Today, I've noticed that there has been a gap on forwarded events. Collector stopped collecting events 2019-1-16 and started collecting events again 2019-1-21 (At same time that the collector server was restarted).
I've noticed it in a rutinary check (found we had only 3 archived security evtx files last week).
Subscriptions are 'Source computer Initiated' with HTTP+'Minimize latency' as advanced settings, and I'm collecting all security events there.
My questions so far are:
* How can I diagnose what happened?
* What may I do to prevent that happening again?
* DC have these logs already archived in EVTX files. Is there any way I can forward them to central log collector?
* Related to first two questions, is there any event id, log, whatever to check if that has happened previously?
Both DCs are Server 2008R2 & Event log collector is Server 2016 Datacenter
Thanks!