Hi all,
Currently I receive the logs from the fortinet source without problems, but what worries me is that there is a large consumption of licensing.
When I make a query I find that 94% of the logs that arrive are type "Notice"
Would it be a bad idea to ask the administrator not to send this type of log?
In case of blocking this type of log, what important information would you miss?
Hi
probably those with level notice are some audit trail etc. (like accepted connections and so on).
It's totally dependent are those needed on your organisation or not. If you are not needed those you could easily drop those away before indexing or try to ask that your network staff filltering those away before sending.
On splunk side (HF or IDX) you could also partially filtering those if some are needed and some not. Just look how this can do from docs or previous community answers.
r. Ismo
Hi
probably those with level notice are some audit trail etc. (like accepted connections and so on).
It's totally dependent are those needed on your organisation or not. If you are not needed those you could easily drop those away before indexing or try to ask that your network staff filltering those away before sending.
On splunk side (HF or IDX) you could also partially filtering those if some are needed and some not. Just look how this can do from docs or previous community answers.
r. Ismo