Splunk Enterprise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Windows Event Logs Best Practice monitoring to reduce the splunk license usage

fatihah
Engager
‎02-07-2021 09:33 PM

Currently, I already filter the Windows event logs for only Windows Security logs. However, windows logs have take up majority of splunk license usage and we are working to reduce the windows logs ingestion by implementing the best practise for windows monitoring for security purpose.

Does anyone have  a best practice to reduce the windows logs size based on event code?

Does anyone can provide the list of Windows event code that should be digest and event code that do not need to be digest by Splunk for Security purpose?

Your help is very appreciate.

Thanks in advance,

Fatihah

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

fatihah
Engager
‎02-16-2021 05:08 PM

Hi @scelikok ,

Thanks for your suggestion. 

On top of that, I also refer to this link below, where I can search for list of codes that let me  know what means each code and from their decided if it's relevant to my organization or not.

Example.

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx 

 

Regards,

Fatihah

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

fatihah
Engager
‎02-16-2021 05:08 PM

Hi @scelikok ,

Thanks for your suggestion. 

On top of that, I also refer to this link below, where I can search for list of codes that let me  know what means each code and from their decided if it's relevant to my organization or not.

Example.

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx 

 

Regards,

Fatihah

0 Karma
Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎02-07-2021 09:46 PM

Hi @fatihah,

Required EventCode list depends on your organization, it is not easy suggest a list. but clearing unnecessary text from event log using below best practice will save license usage.

https://docs.splunk.com/Documentation/WindowsAddOn/8.1.1/User/Configuration#Configure_event_cleanup_... 

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Solved! Jump to solution

SamHTexas
Builder
‎04-22-2021 10:29 AM

Bro. Scelikok, what files need to be accesses & cleaned up to reduce the number of error codes that are collected to save some license usage? Also from your expert point of view  -  I know you stated it depends on the company policy. But what general areas do you see that I have to attend to reduce the large amount of license being used? I do respect your expert opinion sir. Thank u

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
Top