We are a new Splunk Enterprise 6.4.1 installation and have ran into a snag with indexing our Domain Controller logs. Due to the sheer volume and limited license of 50GB, we had to turn off the Universal Forwarder on 7 out of 8 DCs in our environment. However, we are still getting upwards of 20GB indexed from 1 DC each day. We have used blacklist successfully for the bulk of the noisy events. We also attempted to use the suppress_text=1 argument, but it does not actually strip any of the message or body within the events.
For our situation, we are indexing the [WinEventLog://Security] to capture user login/logoff details within the InfoSec realm. We found that 90% of our EventCodes are 4624 and 4634. These two events are actually the events we need as they capture login/logoff transactions, however, they include events within them for all types of transactions to include NTLM, Kerberos, token exchange, session closes, and machine account access. We only need the user logon/logoff related events. We used the below inputs.conf placed in the "Splunk_TA_windows\local\" Directory. Am I missing something? Can we use a regex to exclude certain types of vents from within the EventCode 4624.
[default]
host = DC-name
[WinEventLog:Security]
disabled = 0
suppress_text = 1
[WinEventLog://Security]
disabled=0
current_only=1
blacklist=EventCode=4656,4658,4670,4690,4663,5140
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
... View more