All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Windows Event Logs monitoring

naagaraj
Engager
‎05-10-2021 03:18 AM

Hi All,

 

I am building a solution to monitor the windows event logs from about 800 machines using splunk deployment server setup.

I am filtering for only 4 event codes using whitelist option (4624,4634,4800,4801). The logs seems to be flowing correctly and i am able to generate reports.

However, the issue I am facing is that my disk space is getting filled instantly. About 50 GB for a week of data.

I can increase the disk space by 200 GB, but I fear it will be filled in another 2 weeks.

Can someone help out how the disk space can be optimized when monitoring the windows event logs for 800 machines. 

 

Thanks,

Naagaraj SV

Labels (2)
0 Karma
Reply

jacobpevans
Motivator
‎05-10-2021 11:13 AM

Greetings @naagaraj ,

The default setting for new Windows Event Logs is to ingest all logs - including historical logs. When you deploy that, it's not surprising that space quickly fills as Splunk handles the backlog. 

If you don't want historical logs, take a look at the current_only setting specifically for Windows Event Logs.

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#Windows_Event_Log_Monitor

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...
li.common.scroll-to.top