https://community.splunk.com/t5/Getting-Data-In/What-might-be-the-reason-for-excessive-logs-in-Windows-event/m-p/341847#M86060 <P>Has anyone inserted this in the inputs.conf that has the appropriate regex to make this work?</P> Fri, 20 Mar 2020 18:42:16 GMT avery2007 2020-03-20T18:42:16Z https://community.splunk.com/t5/Getting-Data-In/What-might-be-the-reason-for-excessive-logs-in-Windows-event/m-p/341844#M86057 <P>I have around 800 users in my environment and the count of 4624 and 4634 is around 80,000 for the last 15 minutes. What might be the reason.</P> <P>Thank you,</P> Tue, 21 Feb 2023 21:27:16 GMT https://community.splunk.com/t5/Getting-Data-In/What-might-be-the-reason-for-excessive-logs-in-Windows-event/m-p/341844#M86057 omprakash9998 2023-02-21T21:27:16Z https://community.splunk.com/t5/Getting-Data-In/What-might-be-the-reason-for-excessive-logs-in-Windows-event/m-p/341845#M86058 <P>if your problem is too much verbose events from wineventlog, causing higher license usage<BR /> you can a use a blacklist filter on the splunk inputs.conf to exclude them from the monitoring.</P> <P>see wineventlog whitelist/blacklist settings<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/7.0.1/Data/MonitorWindowseventlogdata">http://docs.splunk.com/Documentation/Splunk/7.0.1/Data/MonitorWindowseventlogdata</A></P> Tue, 19 Dec 2017 20:00:58 GMT https://community.splunk.com/t5/Getting-Data-In/What-might-be-the-reason-for-excessive-logs-in-Windows-event/m-p/341845#M86058 yannK 2017-12-19T20:00:58Z https://community.splunk.com/t5/Getting-Data-In/What-might-be-the-reason-for-excessive-logs-in-Windows-event/m-p/341846#M86059 <P>Pro Tip:</P> <P>Decide which login events you really care about (maybe check with security team if applicable)<BR /> However, most of your 4624s will probably be LoginType 3 - Which is network access - you may see this every time you access anything on the network, even if you don't actually open/edit a file etc.</P> <P>You may decide that you only care about:<BR /> LoginType 2 - Interactive (ie with a keyboard attached to the system) <BR /> Type7 - Unlocking a workstation, or <BR /> Type 10 - remote Interactive (ie RDP/remote access etc)</P> <P>you could blacklist types 1,3,4,5,6,8,9 and reduce your login events to a fraction of what you have right now, whilst preserving the most important/relevant ones.</P> <P><CODE>blacklist = EventCode="4624" Message="LogonType=(1|3|4|5|6|8|9)"</CODE></P> <P>or to just drop type 3<BR /> <CODE>blacklist1 = EventCode="4624" Message="LogonType=3"</CODE></P> Tue, 19 Dec 2017 20:29:53 GMT https://community.splunk.com/t5/Getting-Data-In/What-might-be-the-reason-for-excessive-logs-in-Windows-event/m-p/341846#M86059 nickhills 2017-12-19T20:29:53Z https://community.splunk.com/t5/Getting-Data-In/What-might-be-the-reason-for-excessive-logs-in-Windows-event/m-p/341847#M86060 <P>Has anyone inserted this in the inputs.conf that has the appropriate regex to make this work?</P> Fri, 20 Mar 2020 18:42:16 GMT https://community.splunk.com/t5/Getting-Data-In/What-might-be-the-reason-for-excessive-logs-in-Windows-event/m-p/341847#M86060 avery2007 2020-03-20T18:42:16Z https://community.splunk.com/t5/Getting-Data-In/What-might-be-the-reason-for-excessive-logs-in-Windows-event/m-p/631762#M108271 <P>While years late, hopefully this helps someone out in the future. This works:</P><P>blacklist1 = EventCode="4624" Message="Logon Type:\s+3"<BR />blacklist2 = EventCode="4634" Message="Logon Type:\s+3"</P><P>&nbsp;</P> Tue, 21 Feb 2023 21:18:16 GMT https://community.splunk.com/t5/Getting-Data-In/What-might-be-the-reason-for-excessive-logs-in-Windows-event/m-p/631762#M108271 96nick 2023-02-21T21:18:16Z https://community.splunk.com/t5/Getting-Data-In/What-might-be-the-reason-for-excessive-logs-in-Windows-event/m-p/740913#M117772 <P>Just one line:<BR /><BR /><SPAN>blacklist1 = EventCode="46[23]4" Message="Logon Type:\s+3"</SPAN></P> Wed, 05 Mar 2025 11:53:17 GMT https://community.splunk.com/t5/Getting-Data-In/What-might-be-the-reason-for-excessive-logs-in-Windows-event/m-p/740913#M117772 jotne 2025-03-05T11:53:17Z