Specific Wineventlog (Security) ingestion into Spl...

anandhalagarasa · ‎10-21-2019

Hi Team,

Currently we are ingesting all data from wineventlog Security, Application & System from all Windows Client machines. And due to this ingestion we are overloaded with the license usage and now we are planning only to ingest only the critical EventCode (4688,4624) and so on and the remaining Security wineventlog are not required so kindly let me know how to pull the data for a particular EventCode from all windows machine so that we will implement the same and check it.

Current Inputs:

[WinEventLog://Application]
disabled = 0
index = xxx
renderXml=0

[WinEventLog://Security]
disabled = 0
index = xxx
renderXml=0

[WinEventLog://System]
disabled = 0
index = xxx
renderXml=0

So it would be really helpful if i can ingest only the particular eventcode from wineventlog:security so that we will be saving some licenses.

tbavarva · ‎10-21-2019

Hi,

I hope below link will give you an idea.

https://answers.splunk.com/answers/152131/filter-windows-eventcode-using-blacklist-and-whitelist.htm...

Regards,
Tejas

dauren_akilbeko · ‎10-21-2019

Use whitelist/blacklist functionality in inputs.
Docs - https://docs.splunk.com/Documentation/Splunk/7.3.2/Data/Whitelistorblacklistspecificincomingdata
Similar question - https://answers.splunk.com/answers/152131/filter-windows-eventcode-using-blacklist-and-whitelist.htm...

You can also clean up events - https://docs.splunk.com/Documentation/WindowsAddOn/6.0.0/User/Configuration#Configure_event_cleanup_...

Specific Wineventlog (Security) ingestion into Splunk

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation