i have a problem with the extra (useless) information of log produced by Windows 2008. Especially this event (4624), it almost eat my licensing space. If i could remove the blue part, thus saving half the space, i'll save many GB/24h of useful space (my siem environment is really huge).
We send those events to Netwitness with WinRM. I can't use Snare agent on those machines (and i can't, ofc, change Windows Version ;-) ).
Are there other ways i can remove this lines from the log (directly on windows 2008 machines, of directly on SIEM), since they do not provide useful information and they only waste license space ? if this could be done, i'll save half the space (from 2kB log, it will become 1kB log)
Tyvm, and sorry for my bad english ;-) i hope i managed to explain clearly the problem.
- SourceName=Microsoft Windows security auditing.
- Keywords=Audit Success
- Message=An account was successfully logged on.
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.