topic Re: How to edit inputs.conf to prevent WinNetMon from using up all my license? in Getting Data In

How to edit inputs.conf to prevent WinNetMon from using up all my license?

brent_weaver — Wed, 16 Nov 2016 16:17:26 GMT

I enabled WinNetMon and need to throttle it back. Here is my inputs.conf:

###### Network monitoring ######
[WinNetMon://inbound]
direction = inbound
disabled = 1
interval = 60
readInterval = 500
index = os

[WinNetMon://outbound]
direction = outbound
disabled = 1
interval = 60
readInterval = 500
index = os

What can I tweak to make this less chatty? I do realize that there is a cost to doing this but my license is exhausted. As you can see I already changed readInterval from the default 100 to 500

Re: How to edit inputs.conf to prevent WinNetMon from using up all my license?

PPape — Wed, 16 Nov 2016 16:56:04 GMT

As described in Splunk Docs - inputs.conf you could Filter to remote Adresses, processes and users.

remoteAddress = <regular expression>
* A regular expression that represents the remote IP address of a
  host that is involved in network communication.
* This setting accepts a regular expression that matches against
  IP addresses only, not host names. For example: 192\.163\..*
* The input includes events for remote IP addresses that match
  the regular expression that you specify here.
* The input filters out events for remote IP addresses that do not
  match the regular expression.
* Defaults to unset (including all remote address events).

process = <regular expression>
* A regular expression that represents the process or application that
  performed a network access.
* The input includes events for processes that match the
  regular expression that you specify here.
* The input filters out events for processes that do not match the
  regular expression.
* Defaults to unset (including all processes and application events).

user = <regular expression>
* A regular expression that represents the Windows user name that
  performed a network access.
* The input includes events for user names that match the
  regular expression that you specify here.
* The input filters out events for user names that do not match the
  regular expression.
* Defaults to unset (including all user name events).

Re: How to edit inputs.conf to prevent WinNetMon from using up all my license?

jconger — Wed, 16 Nov 2016 21:00:54 GMT

In addition, setting the mode to multikv will help a lot as well.

Re: How to edit inputs.conf to prevent WinNetMon from using up all my license?

brent_weaver — Wed, 16 Nov 2016 21:06:34 GMT

I dont want to filter on just process and user, i want all of the data just not as frequently

Re: How to edit inputs.conf to prevent WinNetMon from using up all my license?

brent_weaver — Wed, 16 Nov 2016 21:07:41 GMT

Thank you for the reply but i want all events just less of them...

Re: How to edit inputs.conf to prevent WinNetMon from using up all my license?

miteshp250283 — Thu, 01 Dec 2016 06:05:15 GMT

It doesn't matter how frequently you choose to receive the events within the 24-hour window, the license will still get consumed for that day.

The only way to keep data ingestion within license limits is, to filter unimportant events from coming in.

Re: How to edit inputs.conf to prevent WinNetMon from using up all my license?

SAF_IT — Fri, 30 Dec 2016 18:38:14 GMT

I am trying to figure this out too. Can someone provide some examples from the inputs.conf file?

Using multikv mode seems to break the Splunk Microsoft Windows App. for network monitoring.

Re: How to edit inputs.conf to prevent WinNetMon from using up all my license?

SAF_IT — Wed, 04 Jan 2017 18:09:38 GMT

I'm wrestling with this as well. The WinNetMon traffic generates the largest number of events. Is there a way to write a RegEx to exclude processes, like ICMP which generates a lot of traffic?

Re: How to edit inputs.conf to prevent WinNetMon from using up all my license?

SAF_IT — Wed, 04 Jan 2017 19:05:17 GMT

I found that I could add

protocol = tcp;udp

to the inbound and outbound WinNetMon stanzas in inputs.conf file on the UF. That stopped the ICMP traffic, which helps.

Re: How to edit inputs.conf to prevent WinNetMon from using up all my license?

SAF_IT — Wed, 04 Jan 2017 19:26:30 GMT

I found that I could add

protocol = tcp;udp

to the inbound and outbound WinNetMon stanzas in inputs.conf file on the UF. That stopped the ICMP traffic, which helps.

Re: How to edit inputs.conf to prevent WinNetMon from using up all my license?

templets — Fri, 03 Feb 2017 21:10:46 GMT

It seems that the default conf captures not just connection requests and accepts, but each packet (i.e. transport). Also, the events are duplicated in both the inbound and outbound sources.

I mitigated this by replacing the existing WinNetMon stanza with:

[WinNetMon://winnetmon]
direction = inbound;outbound
disabled = 0
index = windows
packetType = accept;connect

Re: How to edit inputs.conf to prevent WinNetMon from using up all my license?

samhodgson — Wed, 31 Jan 2018 15:09:23 GMT

Genius! was seeing cpu utilisation of 20-40% on our DC's from the splunk-netmon process and this knocked it down to 2%.

Re: How to edit inputs.conf to prevent WinNetMon from using up all my license?

emikulic — Wed, 18 Oct 2023 17:00:37 GMT

This is an old post so a known issue. I think folks using ES app or using Splunk as a SIEM and almost any US Govt supplier will need most of that 'extra' info for any IT sec forensic analysis. Most all US Govt suppliers are subject to NIST now and CMMC coming in 2024. I would imagine HIPPA, SOX, GDPR, GLBA, and CCPA companies systems will need that as well.

It is noisy but attacks are very often using non-standard ports to transfer information/data to/from an outside host like ICMP, SSH, and RDP as most application level IDS/IPS are looking at 80/443 inspection.

For general SMB and Small Enterprise this is probably viable in some respects though.