Microsoftpaulberg What happens in an event when WEF collector server is down for either update reasons or just plain crashed? Do servers that are sending logs keep the current state and then forward the logs once collector becomes available? or is it a fire and forget case where all the logs sent when WEF collector was down are lost?
edit: for those who are wondering about this, we have tested it by taking down the WEF collector for few minutes and then bring it back online. We have timed the power-off and power-on and it looks like the logs are kept locally on clients until WEF collector becomes available and then forwarded. So we don't lose logs if WEF is down, it will just forward when it becomes available without losing the track. Also the timestamp on the logs stays true. So if WEF goes down on 15:00 and come backs online at 15:10, when clients send logs that were generated in between those times, in sentinel you will see logs time as 15:01, 15:03 etc. So keep this in mind when you are building analytic rules.
