I would like to be able to forward logs and then delete them using a UF. How can I do this?
For the sake of the Splunk community, it would be nice if this question had a run-anywhere solution. However, I will also detail my use case specifically.
I am using Windows Event Forwarding (WEF) to collect 4800/4801 Windows security logs from 2000 of our workstations into a Windows Event Collector (WEC) that has a UF on it. I only spun up the WEC VM with an 80GB disk, as there is no reason to assign more disk space to merely a collection node, and storage is money. I can forward the logs from the WEC without a problem, but I need to be able to purge the logs after forwarding.
↧