We are partially receiving the logs from Domain controllers.
The setup we have is more than 20 AD servers including domain controller. These logs are getting forwarded to Bindplane WEC server from WEC to Chronicle (Secops). The setup is agentless.
As observed few event logs like 4725 , 4726 and 4720 etc are not getting ingested to WEC server as we checked in the event viewer(Forwarded Events section) of WEC server (Bindplane).
Anyone faced the same issue.
DC Logs are partially getting ingested to secops
+1
+2- Bronze 2
I've not personally seen that issue. Its only a certain category of log? Can you email support@bindplane.com and open a ticket?
+7- Bronze 1
Hi,
From my experience, I believe the issue you described is not related to BindPlane or SecOps.
A single WEC server typically doesn't have the capacity to collect logs from 20 AD servers — that’s a significant volume of data.
You can confirm this assumption by simulating an event from an AD server and checking whether it appears in the local server’s Event Logs, specifically under the Forwarded Events section on the WEC server.
If the event does not appear there, it indicates that the issue lies in the log forwarding process between your Windows servers — and therefore, the event will not be ingested into BindPlane.
I highly recommend reviewing this stage before checking log ingestion at the BindPlane or SecOps level.
I usually resolve this issue for clients by following these steps:
1.In the WEC configuration, change the log collection method to source-initiated instead of collector-initiated.
2. Deploy additional WEC servers and distribute the load between them (this can be controlled via Windows GPO).
If the two previous steps are not an option, consider installing an agent on each server.
+6- Bronze 5
I am having a very similar issue, once we migrated to bindplane running on the WEC and collecting directly from the custom channel. We noticed a huge drop in ingestion.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.