Forums: SplunkAdministration: Logging Advise

I recently deployed Splunk here at my company. We're using the Snare agent to forward all of the logs from our Windows servers to the splunk server. One thing I'm noticing though is that I'm getting a huge amount of login/logoff messages from my AD controller. I've toyed with trying to not log these, but thought I would ask if anyone has found it useful to be logging this information?

I'm very new to splunk, so I'm sure I have a lot of tweaking to do. Currently I'm logging everything. I'd love to hear what others have found to be useful though. Do you log everything, or do you not log the informational messages, just the critical and warning messages.

Thanks for any advise anyone wants to share.

--Aric Wilisch

It depends on your requirements. If you are required by policy to collect all events, then just craft your searches to exclude these noisy events. If you are not bound by such requirements, just filter them from the index or change your audit policy on your domain controllers.

Oh I log everything, I am still in the trial stages of Splunk. Something that I have found exceedingly helpful is turning auditing on for my file shares.
I take the stance of, if Splunk can handle it (for me so far it has with ease), then take everything possible in, you can always limit your search terms, but you never know when you are going to want some historical data. What seems useless information today may be mission critical tomorrow.

As for your logon/logoff I googled for it and turned up this informative article:
http://www.eggheadcafe.com/forumarchives/windowsserversecurity/Jan2006/post25333937.asp
Cool thing about splunk, if you see a log many times, just copy and paste the critical info into a google search, omit the info unique to your domain and you will get some great returns from forums.