- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to handle Windows 2008 event log descriptive t...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The crazily verbose descriptive text that's appended to the end of many Windows Server 2008 events has been covered in Splunk Answer Disabling or removing extra description text in Windows 2008 event logs?, with an excellent answer by jervin involving using SEDCMD in props.conf to trim the description off.
The problem is, per Configuration parameters and the data pipeline, a universal forwarder can't do a SEDCMD. It seems to me like you couldn't use a universal forwarder on a Windows 2008 server without absolutely murdering your Splunk license with all that descriptive text.
Can anyone think of a way around this problem?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could implement the configuration where the data is being parsed, most likely the indexer, and it would also alter the data in the same way.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is the resource cost of doing this on the indexers? After all, in a Windows heavy environment, some of the events with these descriptions probably make up the bulk of logged security events.
Is there a way of doing it on an intermediary step? Ie. putting an intermediary forwarder between the Windows forwarders and the indexers?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Make the forwarder a "Heavy Forwarder" and do the work before the data is sent to the Indexer. The tradeoff is that your forwarder will have higher CPU utilization.
I love the descriptive text when I'm scrolling through an actual event log, but I don't need to index or store ten gazillion copies of MSFT boilerplate in my Splunk db.
I'm literally in the middle of doing this so thanks for your link to the SEDCMD article!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could implement the configuration where the data is being parsed, most likely the indexer, and it would also alter the data in the same way.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can also do "sendCookedData = false" on the SUF and then work on the events on the indexer or heavy forwarder.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks! Also, according to
http://splunk-base.splunk.com/answers/7171/sed-cmd-and-indexing-volume-count/7172
Since parsing happens before indexing, what SEDCMD chops off -- even on the indexer -- is not counted towards the license.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Correct, but then doesn't the unparsed data as it comes into the indexer count against my license?
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
