- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Why am I unable to reduce the amount of data index...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why am I unable to reduce the amount of data indexed for [WinEventLog://Security] through blacklists or suppress_text options?
We are a new Splunk Enterprise 6.4.1 installation and have ran into a snag with indexing our Domain Controller logs. Due to the sheer volume and limited license of 50GB, we had to turn off the Universal Forwarder on 7 out of 8 DCs in our environment. However, we are still getting upwards of 20GB indexed from 1 DC each day. We have used blacklist successfully for the bulk of the noisy events. We also attempted to use the suppress_text=1 argument, but it does not actually strip any of the message or body within the events.
For our situation, we are indexing the [WinEventLog://Security] to capture user login/logoff details within the InfoSec realm. We found that 90% of our EventCodes are 4624 and 4634. These two events are actually the events we need as they capture login/logoff transactions, however, they include events within them for all types of transactions to include NTLM, Kerberos, token exchange, session closes, and machine account access. We only need the user logon/logoff related events. We used the below inputs.conf placed in the "Splunk_TA_windows\local\" Directory. Am I missing something? Can we use a regex to exclude certain types of vents from within the EventCode 4624.
[default]
host = DC-name
[WinEventLog:Security]
disabled = 0
suppress_text = 1
[WinEventLog://Security]
disabled=0
current_only=1
blacklist=EventCode=4656,4658,4670,4690,4663,5140
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
An entry in props.conf can also help reduce the amount of data ingested by Windows events without removing meaningful values:
[WinEventLog:Security]
SEDCMD-remwinstr = s/(?ism)(Token Elevation Type indicates|This event is generated).*$//g
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to put the suppress_text = 1 under [WinEventLog://Security], not under [WinEventLog:Security].
You can use regex in whitelists and blacklists, see here:
http://docs.splunk.com/Documentation/Splunk/6.4.1/Data/MonitorWindowseventlogdata
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, we tried moving the suppress text out of the 1st set and under the [WinEventLog://Security] and it actually had an interesting effect, it scrubbed the 6424/6434 messages completely out of the events. We still saw them on the DC event log, however they would not be indexed at all, it actually did this to just about any event type longer that about 20 lines. As soon as we comment out the suppress text they all populate and index again???
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
