I'm currently dealing with an environment with a number of domain controllers that will need to begin forwarding Windows event logs into Splunk. A worry is license threshold.
I've whitelisted only the event codes we are interested in, but this has done little as 4624/4634, account logons/logoffs, have a lot of noise with network logons. I've toyed with blacklisting any logon using a computer's sAMAccountName$. This drops off our license usage per DC immensely, but I'm worried that we might be missing some valuable event data.
Does anyone have any insight to if this is a good/bad practice, what types of info we'd be missing out on, and/or any alternative suggestions to minimizing the load that DC's place on license usage?