Whenever I check the files that have been forwarded to my Splunk index, I see a bunch of files having their source = WinEventsLog:Application
. I did not explicitly put a monitor stanza for such files and I wonder why my forwarder is always sending them to my Splunk instance. When I look at the individual events of the source, they are of the form:
LogName=Application
SourceName=Microsoft-Windows-CertificateServicesClient-CertEnroll
...
LogName=Application
SourceName=Symantec Antivirus
...
LogName=Application
SourceName=NVWMI
...
...
indicates that there are more field-value pairs in the events.
How do I exclude or prevent my forwarder from sending files from the WinEventsLog:Application
source? It is clogging my index with data I don't need. Any help would be appreciated. Thanks!
Please look at this answer.
https://answers.splunk.com/answers/122268/disable-forwarding-of-windows-event-logs.html
Thanks for the info!