Splunk Enterprise

How to stop duplicate events 4624 from logging into Splunk

rahulkumarfgf
Explorer

Hello Everyone,

I have searched everywhere for a solution but did not get anything close to what I'm trying to do. So, I have one Domain Controller from where we are capturing data into the DS. On searching for EventCode 4624, I see around 10-15 events with the same timestamp, AccountName, etc. logging in. This single eventcode is consuming around 4-5 GB of license eveyday from a single Domain Controller which is not at all ideal. Blacklisting the event is no help as I need it for several reports. I have already removed the extra description at the end of events to reduce license usage. I was wondering if someone has faced similar issue or if someone could guide me on this, that would be great.

Please let me know if I need to provide anymore information.

Labels (1)
0 Karma

rahulkumarfgf
Explorer

Hi @gcusello Thank you for your response. I'm not looking to dedup the events as that will mean that the events are already indexed. I'm looking for a way to index only 1 event in Splunk instead of several duplicate events coming from the DC's which will help me in saving my license.

 

Thank You!

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @rahulkumarfgf,

sorry, it isn't possible!

The only way could be extract events from wineventlog and preprocess them using a script before Splunk, but it isn't easy!

Ciao.

Giuseppe

0 Karma

rahulkumarfgf
Explorer

Hi @gcusello 

I see. I will search for scripts then and see how that goes. I will update if anything changes. Thank you!

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @rahulkumarfgf,

this is a problem related to Windows logs.

You could use dedup (for host, user and timestamp fields) command to exclude from the results the duplicated values, but you have to check if in this way you reach to eliminate all the duplicated events or there are some events with a little difference in timestamp (one or few milliseconds).

The other choice is to use the transaction command, to group events but transaction is a slow command that I usually avoid.

Obviously, this is a solution at search time, but it doesn't solve thge problem of the license consuption.

For license I think that you cannot do nothing because, you'd risk to loose some events.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...