Windows Event Logs monitoring

naagaraj · ‎05-10-2021

Hi All,

I am building a solution to monitor the windows event logs from about 800 machines using splunk deployment server setup.

I am filtering for only 4 event codes using whitelist option (4624,4634,4800,4801). The logs seems to be flowing correctly and i am able to generate reports.

However, the issue I am facing is that my disk space is getting filled instantly. About 50 GB for a week of data.

I can increase the disk space by 200 GB, but I fear it will be filled in another 2 weeks.

Can someone help out how the disk space can be optimized when monitoring the windows event logs for 800 machines.

Thanks,

Naagaraj SV

jacobpevans · ‎05-10-2021

Greetings @naagaraj ,

The default setting for new Windows Event Logs is to ingest all logs - including historical logs. When you deploy that, it's not surprising that space quickly fills as Splunk handles the backlog.

If you don't want historical logs, take a look at the current_only setting specifically for Windows Event Logs.

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#Windows_Event_Log_Monitor

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.

Windows Event Logs monitoring

configuration

troubleshooting

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM