Solved: How do I exclude WinEventsLog:Application files fr...

mawomommoh · ‎07-08-2018

Whenever I check the files that have been forwarded to my Splunk index, I see a bunch of files having their source = WinEventsLog:Application. I did not explicitly put a monitor stanza for such files and I wonder why my forwarder is always sending them to my Splunk instance. When I look at the individual events of the source, they are of the form:

LogName=Application SourceName=Microsoft-Windows-CertificateServicesClient-CertEnroll ...
LogName=Application SourceName=Symantec Antivirus ...
LogName=Application SourceName=NVWMI ...

... indicates that there are more field-value pairs in the events.

How do I exclude or prevent my forwarder from sending files from the WinEventsLog:Application source? It is clogging my index with data I don't need. Any help would be appreciated. Thanks!

HiroshiSatoh · ‎07-08-2018

Please look at this answer.

https://answers.splunk.com/answers/122268/disable-forwarding-of-windows-event-logs.html

View solution in original post

HiroshiSatoh · ‎07-08-2018

Please look at this answer.

https://answers.splunk.com/answers/122268/disable-forwarding-of-windows-event-logs.html

mawomommoh · ‎07-11-2018

Thanks for the info!

How do I exclude WinEventsLog:Application files from being forwarded?

Splunk Mobile: Your Brand-New Home Screen

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

Are you a member of the Splunk Community?

How do I exclude WinEventsLog:Application files from being forwarded?

Splunk Mobile: Your Brand-New Home Screen

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...