Solved: Re: Windows Event Excessive Logs

omprakash9998 · ‎12-15-2017

I have around 800 users in my environment and the count of 4624 and 4634 is around 80,000 for the last 15 minutes. What might be the reason.

Thank you,

nickhills · ‎12-19-2017

Pro Tip:

Decide which login events you really care about (maybe check with security team if applicable)
However, most of your 4624s will probably be LoginType 3 - Which is network access - you may see this every time you access anything on the network, even if you don't actually open/edit a file etc.

You may decide that you only care about:
LoginType 2 - Interactive (ie with a keyboard attached to the system)
Type7 - Unlocking a workstation, or
Type 10 - remote Interactive (ie RDP/remote access etc)

you could blacklist types 1,3,4,5,6,8,9 and reduce your login events to a fraction of what you have right now, whilst preserving the most important/relevant ones.

blacklist = EventCode="4624" Message="LogonType=(1|3|4|5|6|8|9)"

or to just drop type 3
blacklist1 = EventCode="4624" Message="LogonType=3"

If my comment helps, please give it a thumbs up!

View solution in original post

nickhills · ‎12-19-2017

Pro Tip:

Decide which login events you really care about (maybe check with security team if applicable)
However, most of your 4624s will probably be LoginType 3 - Which is network access - you may see this every time you access anything on the network, even if you don't actually open/edit a file etc.

You may decide that you only care about:
LoginType 2 - Interactive (ie with a keyboard attached to the system)
Type7 - Unlocking a workstation, or
Type 10 - remote Interactive (ie RDP/remote access etc)

you could blacklist types 1,3,4,5,6,8,9 and reduce your login events to a fraction of what you have right now, whilst preserving the most important/relevant ones.

blacklist = EventCode="4624" Message="LogonType=(1|3|4|5|6|8|9)"

or to just drop type 3
blacklist1 = EventCode="4624" Message="LogonType=3"

If my comment helps, please give it a thumbs up!

avery2007 · ‎03-20-2020

Has anyone inserted this in the inputs.conf that has the appropriate regex to make this work?

96nick · ‎02-21-2023

While years late, hopefully this helps someone out in the future. This works:

blacklist1 = EventCode="4624" Message="Logon Type:\s+3"
blacklist2 = EventCode="4634" Message="Logon Type:\s+3"

jotne · ‎03-05-2025

Just one line:

blacklist1 = EventCode="46[23]4" Message="Logon Type:\s+3"

yannK · ‎12-19-2017

if your problem is too much verbose events from wineventlog, causing higher license usage
you can a use a blacklist filter on the splunk inputs.conf to exclude them from the monitoring.

see wineventlog whitelist/blacklist settings
http://docs.splunk.com/Documentation/Splunk/7.0.1/Data/MonitorWindowseventlogdata

What might be the reason for excessive logs in Windows event?

blacklist

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation