Getting Data In

How to limit Windows Security logs with inputs.conf?

rpearson
Explorer

I was pretty sure back when we installed the system we limited a bunch of things, but now I cannot find the configuration anywhere.  In the typical /opt/splunk/etc/system/local on my Splunk Server I do not seem to have the inputs.conf file anymore?  Is there where I would limit my ingesting or do I do it on the Splunk Forwarder level?

I am getting a lot of 4634 which is filling up my license quota.  I want to not log the Logon Type 3's.  Can I just create the file where it should be and start adding things there or how should I go about it?

Labels (2)
0 Karma

rpearson
Explorer

I have that app already but that folder doesn't appear to have an inputs.conf folder in it.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @rpearson,

at first $SPLUNK_HOME/etc/system/local isn't the typical location of inputs.conf, there's an inputs.conf but it's usual only for TCP:9997 data from other forwarders, don't use it for your inputs.

The best approach is to have inputs in dedicated App (not the ones already present in $SPLUNK_HOME/etc/apps).

In your case, you should explore the Splunk_TA_Windows App (https://splunkbase.splunk.com/app/742) that already gives you all the inputs to use.

In this case you have to install it and enable the inputs you need by GUi if you're in a Splunk instance or via conf file if you're in  a Universal Forwarder, following the instructions at https://docs.splunk.com/Documentation/Splunk/9.0.2/Data/HowtogetWindowsdataintoSplunk

To reduce the License consuption, you can Whitelist the EventCodes you want or Blacklist the ones you want discard (https://docs.splunk.com/Documentation/Splunk/9.0.2/Admin/Inputsconf#Event_Log_filtering), obviously in this case you limit your monitorig opportunities.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...