Splunk Enterprise

Windows Event Logs Best Practice monitoring to reduce the splunk license usage

fatihah
Engager

Currently, I already filter the Windows event logs for only Windows Security logs. However, windows logs have take up majority of splunk license usage and we are working to reduce the windows logs ingestion by implementing the best practise for windows monitoring for security purpose.

Does anyone have  a best practice to reduce the windows logs size based on event code?

Does anyone can provide the list of Windows event code that should be digest and event code that do not need to be digest by Splunk for Security purpose?

Your help is very appreciate.

Thanks in advance,

Fatihah

0 Karma
1 Solution

fatihah
Engager

Hi @scelikok ,

Thanks for your suggestion. 

On top of that, I also refer to this link below, where I can search for list of codes that let me  know what means each code and from their decided if it's relevant to my organization or not.

Example.

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx 

 

Regards,

Fatihah

View solution in original post

0 Karma

fatihah
Engager

Hi @scelikok ,

Thanks for your suggestion. 

On top of that, I also refer to this link below, where I can search for list of codes that let me  know what means each code and from their decided if it's relevant to my organization or not.

Example.

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx 

 

Regards,

Fatihah

View solution in original post

0 Karma

scelikok
Champion

Hi @fatihah,

Required EventCode list depends on your organization, it is not easy suggest a list. but clearing unnecessary text from event log using below best practice will save license usage.

https://docs.splunk.com/Documentation/WindowsAddOn/8.1.1/User/Configuration#Configure_event_cleanup_... 

 

If this reply helps you an upvote is appreciated.
0 Karma

SamHTexas
Contributor

Bro. Scelikok, what files need to be accesses & cleaned up to reduce the number of error codes that are collected to save some license usage? Also from your expert point of view  -  I know you stated it depends on the company policy. But what general areas do you see that I have to attend to reduce the large amount of license being used? I do respect your expert opinion sir. Thank u

Tags (1)
0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!