This issue is for an edge case that only applies to windows event collection servers recieveing forwarded events. Due to how windows forwarding batches events with lag, e.g. the "Minimize Bandwidth" delivery can take up to 6 hours to deliver events, the very first or last event queried in a forwarded event log is not a reliable measure of the latest or oldest events overall.
https://github.com/ibm-security-intelligence/wincollect/blob/b9dddc7958e91a9a3674f2d3610f4c07e123daec/EventLogReport/GetEventLogReport.ps1#L49
A better approach is to sample the oldest and newest events. I.e. look for the oldest and newest timestamp in a sample of the first 10000 and last 10000 events to avoid latent batches with old events arriving at the Max Delivery Time. While not perfect, it's a better approximation.
This issue is for an edge case that only applies to windows event collection servers recieveing forwarded events. Due to how windows forwarding batches events with lag, e.g. the "Minimize Bandwidth" delivery can take up to 6 hours to deliver events, the very first or last event queried in a forwarded event log is not a reliable measure of the latest or oldest events overall.
https://github.com/ibm-security-intelligence/wincollect/blob/b9dddc7958e91a9a3674f2d3610f4c07e123daec/EventLogReport/GetEventLogReport.ps1#L49
A better approach is to sample the oldest and newest events. I.e. look for the oldest and newest timestamp in a sample of the first 10000 and last 10000 events to avoid latent batches with old events arriving at the Max Delivery Time. While not perfect, it's a better approximation.