This is another common approach often used when you have a limited amount of license capacity to work with. Once you have your standard event code blacklist, you can hone in on specific events which aren’t useful and use advanced filtering techniques to drop those. To filter down you then configure blacklists to drop specific event codes that you do not need. So, the default behavior is to grab all event codes under that Event Log Channel. With this method you are never declaring a whitelist. This is the most common approach to working with Windows Event Logs, and it’s typically the easiest way to get your desired result. Deployment Strategies Give Me All the Events, Except Certain Ones This is going to give you more control over what data you’re bringing in and allow you to more easily manage what hosts send what data as your environment grows.Ĭombining these strategies will get you the most bang for your buck by optimizing your Windows event log data ingestion. Lastly, I will cover how you can structure your inputs deployment in a layered approach. The caveat being the inability to alter event text, so if you want to do that you still need to do this on the indexers (which I will go over as well). This means you can filter out data before it’s ever sent over the wire and save yourself from wasting precious bandwidth and compute cycles on your indexers. The primary benefit of whitelists/blacklists for Windows Event Logs is that we get to do the filter at the ingestion pipeline instead of at the typing pipeline, which is how filtering is traditionally handled in Splunk. This means you can combine whitelists/blacklists together to achieve a certain result (I.E, default allow all in X eventcode, but deny specific strings in X eventcode). You should also note that Splunk processes whitelists first, then blacklists. If you add a single whitelist statement, Splunk will only index events which match your whitelist for that particular input stanza and ignore the rest of the events. It’s important to understand that by default all event codes will be indexed if you do not specify a whitelist. You can default to allow all with explicit denies, default to deny all with explicit allows, or a hybrid of explicit allows/denies. Before we get started, you should consider a strategy for how you ingest your Windows event logs. In this tutorial, I’ll explain how you can do both of these things so you only bring in the data you need. The answer to both of these questions is by leveraging the advanced filtering techniques at the input level and event routing at the indexing level. When working with Windows event logs in your Splunk environment it’s typical to come across two scenarios: How do I get rid of specific events that aren’t necessary for my use case? How do I trim off the duplicated text at the bottom of events that’s chewing up my license?
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |