Reduce Windows 2008 Event 4624
i have a problem with the extra (useless) information of log produced by Windows 2008. Especially this event (4624), it almost eat my licensing space. If i could remove the blue part, thus saving half the space, i'll save many GB/24h of useful space (my siem environment is really huge).
We send those events to Netwitness with WinRM. I can't use Snare agent on those machines (and i can't, ofc, change Windows Version 😉 ).
Are there other ways i can remove this lines from the log (directly on windows 2008 machines, of directly on SIEM), since they do not provide useful information and they only waste license space ? if this could be done, i'll save half the space (from 2kB log, it will become 1kB log)
Tyvm, and sorry for my bad english 😉 i hope i managed to explain clearly the problem.
- SourceName=Microsoft Windows security auditing.
- Keywords=Audit Success
- Message=An account was successfully logged on.
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
- security events
- windows 2008
I've moved your question to the RSA NetWitness Platform" data-type="space space, where it will be seen by the product's support engineers, other customers and partners. Please bookmark this page and use it when you have product-specific questions.
Alternatively, from the RSA Customer Support" data-type="space page, click on Ask A QuestionRSA NetWitness Platform" data-type="space on the blue navigation bar and choose . From there, scroll to and click Ask A Question. That way your question will appear in the correct space.
hi sravan, thank you for your answer. i already saw the link you provided, but i can't use snare, i can't install agent at all. i am limited to the use of winrm. is there a way without the use of an agent ?