All Apps and Add-ons

Windows Event Logs monitoring

naagaraj
Engager

Hi All,

 

I am building a solution to monitor the windows event logs from about 800 machines using splunk deployment server setup.

I am filtering for only 4 event codes using whitelist option (4624,4634,4800,4801). The logs seems to be flowing correctly and i am able to generate reports.

However, the issue I am facing is that my disk space is getting filled instantly. About 50 GB for a week of data.

I can increase the disk space by 200 GB, but I fear it will be filled in another 2 weeks.

Can someone help out how the disk space can be optimized when monitoring the windows event logs for 800 machines. 

 

Thanks,

Naagaraj SV

Labels (2)
0 Karma

jacobpevans
Motivator

Greetings @naagaraj ,

The default setting for new Windows Event Logs is to ingest all logs - including historical logs. When you deploy that, it's not surprising that space quickly fills as Splunk handles the backlog. 

If you don't want historical logs, take a look at the current_only setting specifically for Windows Event Logs.

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#Windows_Event_Log_Monitor

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma
Get Updates on the Splunk Community!

Welcome to the Future of Data Search & Exploration

You have more data coming at you than ever before. Over the next five years, the total amount of digital data ...

What’s new on Splunk Lantern in August

This month’s Splunk Lantern update gives you the low-down on all of the articles we’ve published over the past ...

This Week's Community Digest - Splunk Community Happenings [8.3.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...