Solved: SA-Eventgen how to decrease log verbosity

gballanti · ‎12-18-2019

I've installed SA-Eventgen and SPL Examples that work as expected. Unfortunately in few days the logs filled up my filesystem. In particulary the "/opt/splunk/etc/apps/SA-Eventgen/lib/splunk_eventgen/logs/eventgen-main.log" file is becomed 22G big in a week.
The log reports rows as follow

2019-12-18 09:15:09 eventgen DEBUG MainProcess {'event': "hourOfDayRate for sample 'noise.cpu' in app 'spl_examples' is 0.4"}
2019-12-18 09:15:09 eventgen DEBUG MainProcess {'event': "dayOfWeekRate for sample 'noise.cpu' in app 'spl_examples' is 0.5"}
2019-12-18 09:15:09 eventgen DEBUG MainProcess {'event': 'Original count: 7.5 Rated count: 2 Rate factor: 0.2038'}

So I was thinking that application could be in debug mode, checking the eventgen.conf seems it ain't

debug = false
verbosity = false

Is there any way to reduce the log verbosity ?

Thanks & regards

lwu_splunk · ‎12-18-2019

Try to set DEFAULT_LOGGING_LEVEL = "ERROR" in $SPLUNK_HOME/etc/apps/SA-Eventgen/lib/splunk_eventgen/lib/logging_config/__init__.py; or
Set 'disable_existing_loggers': True in $SPLUNK_HOME/etc/apps/SA-Eventgen/lib/splunk_eventgen/lib/logging_config/__init__.py;

View solution in original post

lwu_splunk · ‎12-18-2019

Try to set DEFAULT_LOGGING_LEVEL = "ERROR" in $SPLUNK_HOME/etc/apps/SA-Eventgen/lib/splunk_eventgen/lib/logging_config/__init__.py; or
Set 'disable_existing_loggers': True in $SPLUNK_HOME/etc/apps/SA-Eventgen/lib/splunk_eventgen/lib/logging_config/__init__.py;

gballanti · ‎12-18-2019

option 1 works fine, thanks.

SA-Eventgen how to decrease log verbosity

Introducing Splunk Enterprise Security 8.0!

Mastering Threat Hunting

Upcoming Community Maintenance: 10/28