Is there a good reference list or someone that can post what ways Windows Event Logs are being filtered? I'm particularly interested in those from a security perspective. For example, I get a flood of successful logins on an IIS web server from the IUSR account, which is of little value to me.
You can filter using multiple values or one value.
See this answer for an example: http://answers.splunk.com/questions/577/how-do-you-filter-windows-event-log
I filter out EventCodes that are irrelevant. This site gives you a down and dirty look at WindowsEventLog:
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx
The webinars in the site are pretty helpful as well. Once you've built your list of events to filter, apply them on your splunk instance.
Splunk 6 makes this easier now with blacklists for windows inputs.
[WinEventLog:Security]
disabled = false
blacklist = 5156-5157
It also makes suppressing the message payload much easier.
[WinEventLog:Security]
disabled = 0
suppress_text = 1
http://blogs.splunk.com/2013/10/14/windows-event-logs-in-splunk-6/
This does not work on Universal Forwarders, correct?
You can filter using multiple values or one value.
See this answer for an example: http://answers.splunk.com/questions/577/how-do-you-filter-windows-event-log
I filter out EventCodes that are irrelevant. This site gives you a down and dirty look at WindowsEventLog:
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx
The webinars in the site are pretty helpful as well. Once you've built your list of events to filter, apply them on your splunk instance.