Event filter on WEC vs Event blacklist on UF

adalbor · ‎06-06-2019

Hey All,

I am comparing two routes to blacklist/filter events.

1) Filter events out at our WEC's using the event filter
2) Blacklist the events on the Universal Forwarders

We currently have different events filtered/blacklisted in both areas but I want to consolidate for mgmt purposes and for ease of use.
If there any benefits to either or?

Filtering on the WEC means its not collecting the events period saving storage space and resource usage. I cant find anywhere though that documents or defines any performance hits by doing that on the WEC subscriptions.

I do love that I can use a regex to filter out specific things like process names on 4688's on the UF.

I was thinking filter out all full events I don't want on the WEC then using the blacklist on the UF to filter out specific events from certain event types like the 4688.

Any thoughts or guidance?

Thanks!
Andrew

kmorris_splunk · ‎06-06-2019

The benefit of filtering at the UF is the ability to easily change the blacklisting. If you are filtering out things at the WEC, then the data isn't there at all. So, in short, if you think you might need it at some point, then I would say to collect it and blacklist.

sloshburch · ‎07-08-2019

If it helps: What are the best practices for installing Splunk on Windows endpoints?

Event filter on WEC vs Event blacklist on UF

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk