Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can I truncate my Windows logs?

pfabrizi
Path Finder
‎01-12-2018 08:47 AM

I am being asked if we can remove some the extraneous data from our Windows logs at indexing time.
I remember in class the instructor talked about this, but I can't remember?

Tags (1)
0 Karma
Reply

spayneort
Contributor
‎01-13-2018 08:07 AM

You can use SECMD in props.conf on the indexer/heavy forwarder to remove some of the extra text in the logs. Here are some examples.

https://answers.splunk.com/answers/44865/remove-out-section-of-log.html
https://answers.splunk.com/answers/4752/disabling-or-removing-extra-description-text-in-windows-2008...
https://gist.github.com/automine/5c8ef5b50e1df38249dfba01a70f2875

[WinEventLog:Security]
#Returns most of the space savings XML would provide
SEDCMD-clean0-null_sids = s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g s/(?m)(\:)(\s+NULL SID)$/\1/g s/(?m)(ID\:)(\s+0x0)$/\1/g
SEDCMD-clean1-summary = s/This event is generated[\S\s\r\n]+$//g
SEDCMD-clean2-cert_summary = s/Certificate information is only[\S\s\r\n]+$//g
SEDCMD-clean3-blank_ipv6 = s/::ffff://g
SEDCMD-clean4-token_elevation_summary = s/Token Elevation Type indicates[\S\s\r\n]+$//g
SEDCMD-clean5-network_share_summary = s/(?ms)(A network share object was checked to see whether.*$)//g
SEDCMD-clean6-authentication_summary = s/(?ms)(The computer attempted to validate the credentials.*$)//g
SEDCMD-clean7-local_ipv6 = s/(?ms)(::1)//g

# Removed due to issue with Windows Filtering Platform events
# SEDCMD-clean8-firewall_summary = s/(?ms)(The Windows Filtering Platform has permitted.*$)//g
Reply

nickhills
Ultra Champion
‎01-12-2018 08:58 AM

You sure can:
Whitelisting and blacklisting is what you are looking for!

http://docs.splunk.com/Documentation/Splunk/7.0.1/Admin/Inputsconf#Event_Log_whitelist_and_blacklist...

If my comment helps, please give it a thumbs up!
0 Karma
Reply

mayurr98
Super Champion
‎01-12-2018 08:55 AM

hey There is one way to i.e. discard specific events and keep the rest using props.conf and transforms.conf

http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Discard_specific_e...

As from the doc above follow Steps:

This example discards all sshd events in /var/log/messages by sending them to nullQueue:

  1. In props.conf, set the TRANSFORMS-null attribute:

    [source::/var/log/messages]
TRANSFORMS-null= setnull

  2. Create a corresponding stanza in transforms.conf. Set DEST_KEY to "queue" and FORMAT to "nullQueue":

    [setnull]
    REGEX = [sshd]
    DEST_KEY = queue
    FORMAT = nullQueue

3.Restart Splunk Enterprise.

Let me know if this helps you!

0 Karma
Reply

nickhills
Ultra Champion
‎01-12-2018 09:01 AM

Whilst this will work, this is not the most effective way to do this for windows logs - The windows event log input has a specific mechanism for dropping the large number of events windows produces, which prevents them being forwarded from the client - its far more efficient to drop them on the UF, than after they have crossed the network.

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...