https://community.splunk.com/t5/All-Apps-and-Add-ons/Windows-Event-Logs-monitoring/m-p/551061#M65576 <P>Hi All,</P><P>&nbsp;</P><P>I am building a solution to monitor the windows event logs from about 800 machines using splunk deployment server setup.</P><P>I am filtering for only 4 event codes using whitelist option (4624,4634,4800,4801). The logs seems to be flowing correctly and i am able to generate reports.</P><P>However, the issue I am facing is that my disk space is getting filled instantly. About 50 GB for a week of data.</P><P>I can increase the disk space by 200 GB, but I fear it will be filled in another 2 weeks.</P><P>Can someone help out how the disk space can be optimized when monitoring the windows event logs for 800 machines.&nbsp;</P><P>&nbsp;</P><P>Thanks,</P><P>Naagaraj SV</P> Mon, 10 May 2021 10:18:37 GMT naagaraj 2021-05-10T10:18:37Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Windows-Event-Logs-monitoring/m-p/551061#M65576 <P>Hi All,</P><P>&nbsp;</P><P>I am building a solution to monitor the windows event logs from about 800 machines using splunk deployment server setup.</P><P>I am filtering for only 4 event codes using whitelist option (4624,4634,4800,4801). The logs seems to be flowing correctly and i am able to generate reports.</P><P>However, the issue I am facing is that my disk space is getting filled instantly. About 50 GB for a week of data.</P><P>I can increase the disk space by 200 GB, but I fear it will be filled in another 2 weeks.</P><P>Can someone help out how the disk space can be optimized when monitoring the windows event logs for 800 machines.&nbsp;</P><P>&nbsp;</P><P>Thanks,</P><P>Naagaraj SV</P> Mon, 10 May 2021 10:18:37 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Windows-Event-Logs-monitoring/m-p/551061#M65576 naagaraj 2021-05-10T10:18:37Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Windows-Event-Logs-monitoring/m-p/551121#M65585 <P>Greetings&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/155813">@naagaraj</a>&nbsp;,</P><P>The default setting for new Windows Event Logs is to ingest all logs - including historical logs. When you deploy that, it's not surprising that space quickly fills as Splunk handles the backlog.&nbsp;</P><P>If you don't want historical logs, take a look at the <FONT face="courier new,courier">current_only</FONT>&nbsp;setting specifically for Windows Event Logs.</P><P><A href="https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#Windows_Event_Log_Monitor" target="_blank">https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#Windows_Event_Log_Monitor</A></P> Mon, 10 May 2021 18:13:55 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Windows-Event-Logs-monitoring/m-p/551121#M65585 jacobpevans 2021-05-10T18:13:55Z