Hi all,
i have a problem with the extra (useless) information of log produced by Windows 2008. Especially this event (4624), it almost eat my licensing space. If i could remove the blue part, thus saving half the space, i'll save many GB/24h of useful space (my siem environment is really huge).
We send those events to Netwitness with WinRM. I can't use Snare agent on those machines (and i can't, ofc, change Windows Version ;-) ).
Are there other ways i can remove this lines from the log (directly on windows 2008 machines, of directly on SIEM), since they do not provide useful information and they only waste license space ? if this could be done, i'll save half the space (from 2kB log, it will become 1kB log)
Tyvm, and sorry for my bad english ;-) i hope i managed to explain clearly the problem.
David
- LogName=Security
- SourceName=Microsoft Windows security auditing.
- EventCode=4624
- EventType=0
- Type=Information
- ComputerName=HIDDEN
- TaskCategory=Logon
- OpCode=Info
- RecordNumber=6039
- Keywords=Audit Success
- Message=An account was successfully logged on.
- ....
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Davide Ansher,
I've moved your question to the RSA NetWitness Platform space, where it will be seen by the product's support engineers, other customers and partners. Please bookmark this page and use it when you have product-specific questions.
Alternatively, from the RSA Customer Support page, click on Ask A Question on the blue navigation bar and choose Ask A Product Related Question. From there, scroll to RSA NetWitness Platform and click Ask A Question. That way your question will appear in the correct space.
Regards,
Erica