Is there a method to 'fool' the agent into reprocessing the entire
Security Event Log and forward the data to Sentinel? We're running into
a situation where the disk space on secondary storage was filled up, and
a bunch of data was groomed out as a result. So we basically want to
re-read the existing sec log. I noticed in the registry of the agent
for the Security NT Event Log provider we have "LastRecord" and
"LastTime_t" registry keys...I tested in my environment setting those to
0 and restarting the agent, but that doesn't appear to fool the system
into rereading the logs. Any ideas?


netiquslaie's Profile: https://forums.netiq.com/member.php?userid=11227
View this thread: https://forums.netiq.com/showthread.php?t=57814