topic Re: Windows Event Logs and Splunk-Can Splunk be configured to delete event logs? in Getting Data In

Windows Event Logs and Splunk-Can Splunk be configured to delete event logs?

sysadmin74 — Tue, 11 Oct 2011 20:58:42 GMT

Is there any capability within Splunk so it automatically deletes the Application, Security, and System Logs in Event Viewer after Splunk receives the events? We currently have Windows Server 2003 R2 but also looking to implement Windows Server 2008 R2. Specifically, I'm curious as to if there are any configuration options available in Splunk to delete the logs in Event Viewer after Splunk gets the data from these logs. We're looking for an alternative to creating a Group Policy Object that will overwrite the logs. Thanks in advance to anyone willing to provide input

Re: Windows Event Logs and Splunk-Can Splunk be configured to delete event logs?

kdenton — Tue, 11 Oct 2011 21:20:22 GMT

No, not built in.

Your best bet is a Group Policy that sets the server logs to Overwrite as needed.

Re: Windows Event Logs and Splunk-Can Splunk be configured to delete event logs?

Ayn — Tue, 11 Oct 2011 21:44:07 GMT

In addition to the previous answer that is completely right, is there a specific reason for you to want to delete or overwrite logs? By default Windows is configured to throw old events FIFO style when the log grows to a certain size (I believe 16MB is the default, or at least used to be). You could lower this limit substantially if you're running a Universal Forwarder on the host since the forwarder will be picking up events immediately as they arrive anyway. That way the logs will be overwritten pretty soon in order to make room for new logs arriving in the event log.

Re: Windows Event Logs and Splunk-Can Splunk be configured to delete event logs?

aelliott — Wed, 07 May 2014 16:05:34 GMT

is there any implications that could happen if it were set to overwrite and current_only set to 1?