Splunk Enterprise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Windows Event Logs Best Practice monitoring to reduce the splunk license usage

fatihah
Engager
‎02-07-2021 09:33 PM

Currently, I already filter the Windows event logs for only Windows Security logs. However, windows logs have take up majority of splunk license usage and we are working to reduce the windows logs ingestion by implementing the best practise for windows monitoring for security purpose.

Does anyone have  a best practice to reduce the windows logs size based on event code?

Does anyone can provide the list of Windows event code that should be digest and event code that do not need to be digest by Splunk for Security purpose?

Your help is very appreciate.

Thanks in advance,

Fatihah

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

fatihah
Engager
‎02-16-2021 05:08 PM

Hi @scelikok ,

Thanks for your suggestion. 

On top of that, I also refer to this link below, where I can search for list of codes that let me  know what means each code and from their decided if it's relevant to my organization or not.

Example.

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx 

 

Regards,

Fatihah

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

fatihah
Engager
‎02-16-2021 05:08 PM

Hi @scelikok ,

Thanks for your suggestion. 

On top of that, I also refer to this link below, where I can search for list of codes that let me  know what means each code and from their decided if it's relevant to my organization or not.

Example.

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx 

 

Regards,

Fatihah

0 Karma
Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎02-07-2021 09:46 PM

Hi @fatihah,

Required EventCode list depends on your organization, it is not easy suggest a list. but clearing unnecessary text from event log using below best practice will save license usage.

https://docs.splunk.com/Documentation/WindowsAddOn/8.1.1/User/Configuration#Configure_event_cleanup_... 

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Solved! Jump to solution

SamHTexas
Builder
‎04-22-2021 10:29 AM

Bro. Scelikok, what files need to be accesses & cleaned up to reduce the number of error codes that are collected to save some license usage? Also from your expert point of view  -  I know you stated it depends on the company policy. But what general areas do you see that I have to attend to reduce the large amount of license being used? I do respect your expert opinion sir. Thank u

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...
Top