Re: Specific Wineventlog (Security) ingestion into...

anandhalagarasa · ‎10-21-2019

Hi Team,

Currently we are ingesting all data from wineventlog Security, Application & System from all Windows Client machines. And due to this ingestion we are overloaded with the license usage and now we are planning only to ingest only the critical EventCode (4688,4624) and so on and the remaining Security wineventlog are not required so kindly let me know how to pull the data for a particular EventCode from all windows machine so that we will implement the same and check it.

Current Inputs:

[WinEventLog://Application]
disabled = 0
index = xxx
renderXml=0

[WinEventLog://Security]
disabled = 0
index = xxx
renderXml=0

[WinEventLog://System]
disabled = 0
index = xxx
renderXml=0

So it would be really helpful if i can ingest only the particular eventcode from wineventlog:security so that we will be saving some licenses.

tbavarva · ‎10-21-2019

Hi,

I hope below link will give you an idea.

https://answers.splunk.com/answers/152131/filter-windows-eventcode-using-blacklist-and-whitelist.htm...

Regards,
Tejas

dauren_akilbeko · ‎10-21-2019

Use whitelist/blacklist functionality in inputs.
Docs - https://docs.splunk.com/Documentation/Splunk/7.3.2/Data/Whitelistorblacklistspecificincomingdata
Similar question - https://answers.splunk.com/answers/152131/filter-windows-eventcode-using-blacklist-and-whitelist.htm...

You can also clean up events - https://docs.splunk.com/Documentation/WindowsAddOn/6.0.0/User/Configuration#Configure_event_cleanup_...

Specific Wineventlog (Security) ingestion into Splunk

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability

Are you a member of the Splunk Community?

Specific Wineventlog (Security) ingestion into Splunk

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability