Security

Specific Wineventlog (Security) ingestion into Splunk

anandhalagarasa
Path Finder

Hi Team,

Currently we are ingesting all data from wineventlog Security, Application & System from all Windows Client machines. And due to this ingestion we are overloaded with the license usage and now we are planning only to ingest only the critical EventCode (4688,4624) and so on and the remaining Security wineventlog are not required so kindly let me know how to pull the data for a particular EventCode from all windows machine so that we will implement the same and check it.

Current Inputs:

[WinEventLog://Application]
disabled = 0
index = xxx
renderXml=0

[WinEventLog://Security]
disabled = 0
index = xxx
renderXml=0

[WinEventLog://System]
disabled = 0
index = xxx
renderXml=0

So it would be really helpful if i can ingest only the particular eventcode from wineventlog:security so that we will be saving some licenses.

Tags (1)

tbavarva
Path Finder
0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...