On our Endpoint Log Hybrid (Not a legacy collector), I'm seeing the following errors in the /var/log/messages file for all of our Windows Event Sources.
Dec 18 02:36:46 <END_LOG_HYBRID> NwLogCollector[1568]: [WindowsCollection] [warning] [<AD_DOMAIN_CONTROLLER>] [processing] [WorkUnit] [processing] Log for channel Security may have rolled over. Previous/Current record number: 775648485/775648488.
I've followed the suggestions in this document 000029686 - Windows legacy log collection warning message "System may have rolled over" in RSA Netwitness but it doesn't seem to make a difference.
Our current event log settings on the Domain Controller.
Settings within the Log Collector configuration
1 ACCEPTED SOLUTION
Accepted Solutions
You want something like the following:
This is under the "event categories" section (left pane)
Thanks, I posted this earlier. I thought this was what you were after, but wanted to check you were talking about the same place.
With filtering event 4661, there aren't any incidents where that would be useful?
Also I 'think' I may have found what could be causing the issue. We have had a number of DCs refreshed, and the new ones are reusing IP addresses of the old DCs, so that could be what's causing a conflict
I have now. It appears to be have resolved the issue. I haven't seen the rolling log error for about 15 minutes now.
Wouldn't event 4661 be required in an incident response scenario? Do I have to keep this filtering enabled or can it be removed after a period of time.
Why is this filtering required now, it hasn't been a problem for us in the past, it's only received become an issue?
