Which one to choose Windows xml OR non-xml format ...

AL3Z · ‎12-14-2023

Hi,

In our environment, we utilize Windows security logs for our security purposes. To reduce licensing costs, I'm considering switching the render XML setting to false. I'm wondering if this is advisable, especially given our focus on security use cases. Could you highlight the major distinctions between using XML and non-XML formats for these logs?

Thanks.

PickleRick · ‎12-15-2023

While I didn't do comparison tests myself, the general consensus is that XML-rendered windows logs are the better choice. They do not cause problems with parsing (there were some problems with ambiguous data in the traditionally formated data I recall vaguely; probably more experienced with older versions colleagues could tell you more). Also they tend to be actually smaller than traditionally formatted logs.

AL3Z · ‎12-15-2023

@PickleRick ,

My aim is to save the license. Can you assist me in blacklisting some of the most common Windows security events

PickleRick · ‎12-15-2023

Sorry, can't help you here. I'm not a windows expert.

AL3Z · ‎12-15-2023

@PickleRick ,

By any chance vpn / firewall logs ?

Which one to choose Windows xml OR non-xml format to save licensing

using Enterprise Security

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation