Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Windows Event Logs Best Practice monitoring to reduce the splunk license usage

fatihah
Engager
‎02-07-2021 09:33 PM

Currently, I already filter the Windows event logs for only Windows Security logs. However, windows logs have take up majority of splunk license usage and we are working to reduce the windows logs ingestion by implementing the best practise for windows monitoring for security purpose.

Does anyone have  a best practice to reduce the windows logs size based on event code?

Does anyone can provide the list of Windows event code that should be digest and event code that do not need to be digest by Splunk for Security purpose?

Your help is very appreciate.

Thanks in advance,

Fatihah

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

fatihah
Engager
‎02-16-2021 05:08 PM

Hi @scelikok ,

Thanks for your suggestion. 

On top of that, I also refer to this link below, where I can search for list of codes that let me  know what means each code and from their decided if it's relevant to my organization or not.

Example.

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx 

 

Regards,

Fatihah

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

fatihah
Engager
‎02-16-2021 05:08 PM

Hi @scelikok ,

Thanks for your suggestion. 

On top of that, I also refer to this link below, where I can search for list of codes that let me  know what means each code and from their decided if it's relevant to my organization or not.

Example.

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx 

 

Regards,

Fatihah

0 Karma
Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎02-07-2021 09:46 PM

Hi @fatihah,

Required EventCode list depends on your organization, it is not easy suggest a list. but clearing unnecessary text from event log using below best practice will save license usage.

https://docs.splunk.com/Documentation/WindowsAddOn/8.1.1/User/Configuration#Configure_event_cleanup_... 

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Solved! Jump to solution

SamHTexas
Builder
‎04-22-2021 10:29 AM

Bro. Scelikok, what files need to be accesses & cleaned up to reduce the number of error codes that are collected to save some license usage? Also from your expert point of view  -  I know you stated it depends on the company policy. But what general areas do you see that I have to attend to reduce the large amount of license being used? I do respect your expert opinion sir. Thank u

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...