I am rather new to Splunk so far having come from previously using Event Sentry for a small offline network of VM based systems on a VDI. Simply put, our move to Splunk was in order to incorporate the logging of Linux systems soon to come as well. So far I have opted for my company to get a single 1 GB/day license since the current configuration in Event Sentry that I use to capture event logs from the Windows systems generates about a half a Gig a day. So I figured Splunk would be pretty similar in its data collection if I am opting to collect the same things. Come to actually stand the server up and try to add my first few servers in data sets and come to find that these few servers with only the 3 Event logs I care about (System, Security, Application) in addition to the Splunk server itself have basically completely tapped out my 1 GB/day limit. Am I missing some crucial configuration component here or did I insanely underestimate the collection that would happen here? Realistically I should have tried this out probably prior to going for the licensed route but I thought the collection would be akin to what I have seen before. Any details or assistance in finding resources about this stuff would be great. As it stands I have been searching for the details on what all is captured but am coming up with not much.
... View more