Currently evaluating Splunk with a view to buying a license, but for now we're on the unlicensed 500mb tier.
I installed a Universal Forwarder on both our DCs and it's basically taken us up to our 500mb daily quota because it looks like it's forwarded all historic event logs on the DCs as well as "from now onwards".
I'm not yet knowledgeable enough about Splunk to know the correct way to "clean" the old data - and presumably, even if I did, I'm not changing that it's ingested and indexed 500mb today so I'm still over the quota.
It would be good to know for the next time I add a Windows server though.
... View more