For the Windows events/logs that end up in the storage buckets on Splunk Enterprise servers, is Splunk copying the original Windows event log files to its own storage, or is it just ingesting events from the forwarders?
The reason I ask is because our CISO wants our secuity team to retain the original log files for fidelity in case we ever get audited or sued and I feel like we can just setup Splunk to alert us if log files have been cleared. Additionally, if an insider threat were to pull a workstation offline, then clear the logs, we wouldn't have the orignal logs, anyway...
Does anyone know if there are regulations in any industries that require the original log files?
... View more