Currently, I already filter the Windows event logs for only Windows Security logs. However, windows logs have take up majority of splunk license usage and we are working to reduce the windows logs ingestion by implementing the best practise for windows monitoring for security purpose.
Does anyone have a best practice to reduce the windows logs size based on event code?
Does anyone can provide the list of Windows event code that should be digest and event code that do not need to be digest by Splunk for Security purpose?
Bro. Scelikok, what files need to be accesses & cleaned up to reduce the number of error codes that are collected to save some license usage? Also from your expert point of view - I know you stated it depends on the company policy. But what general areas do you see that I have to attend to reduce the large amount of license being used? I do respect your expert opinion sir. Thank u