All Apps and Add-ons

Windows Event Logs monitoring

naagaraj
Engager

Hi All,

 

I am building a solution to monitor the windows event logs from about 800 machines using splunk deployment server setup.

I am filtering for only 4 event codes using whitelist option (4624,4634,4800,4801). The logs seems to be flowing correctly and i am able to generate reports.

However, the issue I am facing is that my disk space is getting filled instantly. About 50 GB for a week of data.

I can increase the disk space by 200 GB, but I fear it will be filled in another 2 weeks.

Can someone help out how the disk space can be optimized when monitoring the windows event logs for 800 machines. 

 

Thanks,

Naagaraj SV

Labels (2)
0 Karma

jacobpevans
Motivator

Greetings @naagaraj ,

The default setting for new Windows Event Logs is to ingest all logs - including historical logs. When you deploy that, it's not surprising that space quickly fills as Splunk handles the backlog. 

If you don't want historical logs, take a look at the current_only setting specifically for Windows Event Logs.

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#Windows_Event_Log_Monitor

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...