![]() Therefore, depending on the Windows auditing configuration, Splunk may ingest events of the same event code but with different, or unmatched, messages. Keep in mind that these blacklist are filtering out events of the matching not just an event code but also a message string. Filtering them out reduces the indexing and retention load. ![]() The specific items outlined in the WinEventLog://Security blacklist items correspond to items of low value but high volume. This is a best practice approach for filtering because it avoids load otherwise put on the network and indexers to process and discard the events.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |