https://community.splunk.com/t5/Security/Specific-Wineventlog-Security-ingestion-into-Splunk/m-p/463838#M15122 <P>Hi Team,</P> <P>Currently we are ingesting all data from wineventlog Security, Application &amp; System from all Windows Client machines. And due to this ingestion we are overloaded with the license usage and now we are planning only to ingest only the critical EventCode (4688,4624) and so on and the remaining Security wineventlog are not required so kindly let me know how to pull the data for a particular EventCode from all windows machine so that we will implement the same and check it.</P> <P>Current Inputs:</P> <P>[WinEventLog://Application]<BR /> disabled = 0<BR /> index = xxx<BR /> renderXml=0</P> <P>[WinEventLog://Security]<BR /> disabled = 0<BR /> index = xxx<BR /> renderXml=0</P> <P>[WinEventLog://System]<BR /> disabled = 0<BR /> index = xxx<BR /> renderXml=0</P> <P>So it would be really helpful if i can ingest only the particular eventcode from wineventlog:security so that we will be saving some licenses.</P> Mon, 21 Oct 2019 08:07:56 GMT anandhalagarasa 2019-10-21T08:07:56Z https://community.splunk.com/t5/Security/Specific-Wineventlog-Security-ingestion-into-Splunk/m-p/463838#M15122 <P>Hi Team,</P> <P>Currently we are ingesting all data from wineventlog Security, Application &amp; System from all Windows Client machines. And due to this ingestion we are overloaded with the license usage and now we are planning only to ingest only the critical EventCode (4688,4624) and so on and the remaining Security wineventlog are not required so kindly let me know how to pull the data for a particular EventCode from all windows machine so that we will implement the same and check it.</P> <P>Current Inputs:</P> <P>[WinEventLog://Application]<BR /> disabled = 0<BR /> index = xxx<BR /> renderXml=0</P> <P>[WinEventLog://Security]<BR /> disabled = 0<BR /> index = xxx<BR /> renderXml=0</P> <P>[WinEventLog://System]<BR /> disabled = 0<BR /> index = xxx<BR /> renderXml=0</P> <P>So it would be really helpful if i can ingest only the particular eventcode from wineventlog:security so that we will be saving some licenses.</P> Mon, 21 Oct 2019 08:07:56 GMT https://community.splunk.com/t5/Security/Specific-Wineventlog-Security-ingestion-into-Splunk/m-p/463838#M15122 anandhalagarasa 2019-10-21T08:07:56Z https://community.splunk.com/t5/Security/Specific-Wineventlog-Security-ingestion-into-Splunk/m-p/463839#M15123 <P>Use whitelist/blacklist functionality in inputs.<BR /> Docs - <A href="https://docs.splunk.com/Documentation/Splunk/7.3.2/Data/Whitelistorblacklistspecificincomingdata">https://docs.splunk.com/Documentation/Splunk/7.3.2/Data/Whitelistorblacklistspecificincomingdata</A><BR /> Similar question - <A href="https://answers.splunk.com/answers/152131/filter-windows-eventcode-using-blacklist-and-whitelist.html">https://answers.splunk.com/answers/152131/filter-windows-eventcode-using-blacklist-and-whitelist.html</A></P> <P>You can also clean up events - <A href="https://docs.splunk.com/Documentation/WindowsAddOn/6.0.0/User/Configuration#Configure_event_cleanup_best_practices_in_props.conf">https://docs.splunk.com/Documentation/WindowsAddOn/6.0.0/User/Configuration#Configure_event_cleanup_best_practices_in_props.conf</A></P> Mon, 21 Oct 2019 08:33:19 GMT https://community.splunk.com/t5/Security/Specific-Wineventlog-Security-ingestion-into-Splunk/m-p/463839#M15123 dauren_akilbeko 2019-10-21T08:33:19Z https://community.splunk.com/t5/Security/Specific-Wineventlog-Security-ingestion-into-Splunk/m-p/463840#M15124 <P>Hi,</P> <P>I hope below link will give you an idea.</P> <P><A href="https://answers.splunk.com/answers/152131/filter-windows-eventcode-using-blacklist-and-whitelist.html">https://answers.splunk.com/answers/152131/filter-windows-eventcode-using-blacklist-and-whitelist.html</A></P> <P>Regards,<BR /> Tejas</P> Mon, 21 Oct 2019 08:37:55 GMT https://community.splunk.com/t5/Security/Specific-Wineventlog-Security-ingestion-into-Splunk/m-p/463840#M15124 tbavarva 2019-10-21T08:37:55Z