https://community.splunk.com/t5/All-Apps-and-Add-ons/OPSEC-App-indexing-much-more-than-expected/m-p/217625#M23625 <P>Hi all, </P> <P>so we installed the OPSEC App yesterday (took about 2 hours) and now we get Logs - a LOT of logs. <BR /> Our firewall Team expected around 25 Gig per day, now at 8am we are at around 40 Gig.</P> <P>Now I was wondering if maybe the configuration of opsec app is somehow incorrect and that maybe data is indexed multiple times or something the like. I did few very short tests to find duplicates (just searched for the raw test of an event) but could not find any. </P> <P>Are there any known configuration mistakes that might cause such that much data to be indexed. During the configuration we did had to create/delete/re-create several connections and trust relations, but now we only have the connections that we actually need and want. </P> <P>What I am a little bit worried about is the following configuration in the opsec-log-status.conf file. I see multiple stanzas for the same data-source (clm-data-1) but only for the last one the "last_rec_pos" variable is increased automatically. </P> <PRE><CODE>[1466632741@clm-data-1] fileid = 1466632741 filename = fw.log last_rec_pos = 23801843 [1466644651@clm-data-1] fileid = 1466644651 filename = fw.log last_rec_pos = 23725430 [1466655679@clm-data-1] fileid = 1466655679 filename = fw.log last_rec_pos = 23407048 [1466661952@clm-data-1] fileid = 1466661952 filename = fw.log last_rec_pos = 1710000 </CODE></PRE> <P>Or are there any features on how to reduce the amount of data indexed by the opsec app. We could deactivate VPN and Audit Logging but that's only around 1% of all logs. </P> <P>Thank you !</P> Tue, 29 Sep 2020 09:59:53 GMT pinVie 2020-09-29T09:59:53Z https://community.splunk.com/t5/All-Apps-and-Add-ons/OPSEC-App-indexing-much-more-than-expected/m-p/217625#M23625 <P>Hi all, </P> <P>so we installed the OPSEC App yesterday (took about 2 hours) and now we get Logs - a LOT of logs. <BR /> Our firewall Team expected around 25 Gig per day, now at 8am we are at around 40 Gig.</P> <P>Now I was wondering if maybe the configuration of opsec app is somehow incorrect and that maybe data is indexed multiple times or something the like. I did few very short tests to find duplicates (just searched for the raw test of an event) but could not find any. </P> <P>Are there any known configuration mistakes that might cause such that much data to be indexed. During the configuration we did had to create/delete/re-create several connections and trust relations, but now we only have the connections that we actually need and want. </P> <P>What I am a little bit worried about is the following configuration in the opsec-log-status.conf file. I see multiple stanzas for the same data-source (clm-data-1) but only for the last one the "last_rec_pos" variable is increased automatically. </P> <PRE><CODE>[1466632741@clm-data-1] fileid = 1466632741 filename = fw.log last_rec_pos = 23801843 [1466644651@clm-data-1] fileid = 1466644651 filename = fw.log last_rec_pos = 23725430 [1466655679@clm-data-1] fileid = 1466655679 filename = fw.log last_rec_pos = 23407048 [1466661952@clm-data-1] fileid = 1466661952 filename = fw.log last_rec_pos = 1710000 </CODE></PRE> <P>Or are there any features on how to reduce the amount of data indexed by the opsec app. We could deactivate VPN and Audit Logging but that's only around 1% of all logs. </P> <P>Thank you !</P> Tue, 29 Sep 2020 09:59:53 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/OPSEC-App-indexing-much-more-than-expected/m-p/217625#M23625 pinVie 2020-09-29T09:59:53Z https://community.splunk.com/t5/All-Apps-and-Add-ons/OPSEC-App-indexing-much-more-than-expected/m-p/217626#M23626 <P>Are you using <CODE>Splunk_TA_opseclea_linux22</CODE> (aka version 3.1) or <CODE>Splunk_TA_checkpoint-opseclea</CODE> (aka version 4.0)?</P> <P>If you're using 3.1, are you passing unique values for configentity? e.g.: audit, vpn, ips, etc?</P> <P>You might also be pulling historical data, as well as current. If that's the case then the data volume should settle down after your initial import.</P> Thu, 23 Jun 2016 18:09:46 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/OPSEC-App-indexing-much-more-than-expected/m-p/217626#M23626 jamesarmitage 2016-06-23T18:09:46Z