In the past, one of my coworkers was working on a whitelist/blacklist solution for our Windows logs (dropping certain EventCodes and keeping others, etc.) Now, that task has fallen to me.
I'd like to test this on a distilled version of our log data for ease of verifying the results, but I'm not sure how to go about that. I've got a file with copies of our Windows Logs, would it be enough for me to point a Splunk instance to them for indexing? Or do I need to push them through a Windows instance?
... View more