Hi All,
I am building a solution to monitor the windows event logs from about 800 machines using splunk deployment server setup.
I am filtering for only 4 event codes using whitelist option (4624,4634,4800,4801). The logs seems to be flowing correctly and i am able to generate reports.
However, the issue I am facing is that my disk space is getting filled instantly. About 50 GB for a week of data.
I can increase the disk space by 200 GB, but I fear it will be filled in another 2 weeks.
Can someone help out how the disk space can be optimized when monitoring the windows event logs for 800 machines.
Thanks,
Naagaraj SV
Greetings @naagaraj ,
The default setting for new Windows Event Logs is to ingest all logs - including historical logs. When you deploy that, it's not surprising that space quickly fills as Splunk handles the backlog.
If you don't want historical logs, take a look at the current_only setting specifically for Windows Event Logs.
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#Windows_Event_Log_Monitor