Several inputs enabled after Splunk_TA_ipfix insta...

mwong · ‎01-12-2015

After installing the Splunk_TA_ipfix add-on, it is found that several settings are inserted to Splunk inputs.

C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf               [MonitorNoHandle]
C:\matthew\Splunk621\etc\system\default\inputs.conf                             _rcvbuf = 1572864
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf               address = 0.0.0.0
C:\matthew\Splunk621\etc\system\default\inputs.conf                             baseline = 0
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf               buffer = 10485760
C:\matthew\Splunk621\etc\system\default\inputs.conf                             evt_dc_name =
C:\matthew\Splunk621\etc\system\default\inputs.conf                             evt_dns_name =
C:\matthew\Splunk621\etc\system\default\inputs.conf                             evt_resolve_ad_obj = 0
host = percy
index = default
C:\matthew\Splunk621\etc\system\default\inputs.conf                             interval = 60
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf               port = 4739
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf               [SSL]
C:\matthew\Splunk621\etc\system\default\inputs.conf                             _rcvbuf = 1572864
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf               address = 0.0.0.0
C:\matthew\Splunk621\etc\system\default\inputs.conf                             allowSslRenegotiation = true
C:\matthew\Splunk621\etc\system\default\inputs.conf                             baseline = 0
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf               buffer = 10485760
C:\matthew\Splunk621\etc\system\default\inputs.conf                             cipherSuite = ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

C:\matthew\Splunk621\etc\apps\Splunk_TA_windows\default\inputs.conf             evt_dc_name =
C:\matthew\Splunk621\etc\apps\Splunk_TA_windows\default\inputs.conf             evt_dns_name =
C:\matthew\Splunk621\etc\system\default\inputs.conf                             evt_resolve_ad_obj = 0
C:\matthew\Splunk621\etc\system\local\inputs.conf                               host = percy
C:\matthew\Splunk621\etc\system\default\inputs.conf                             index = default
C:\matthew\Splunk621\etc\system\default\inputs.conf                             interval = 60
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf               port = 4739
C:\matthew\Splunk621\etc\system\default\inputs.conf                             sslQuietShutdown = false
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf               [WinEventLog]
C:\matthew\Splunk621\etc\system\default\inputs.conf                             _rcvbuf = 1572864
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf               address = 0.0.0.0
C:\matthew\Splunk621\etc\system\default\inputs.conf                             baseline = 0
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf               buffer = 10485760
C:\matthew\Splunk621\etc\system\default\inputs.conf                             evt_dc_name =
C:\matthew\Splunk621\etc\system\default\inputs.conf                             evt_dns_name =
C:\matthew\Splunk621\etc\system\default\inputs.conf                             evt_resolve_ad_obj = 0
host = percy
index = default
C:\matthew\Splunk621\etc\system\default\inputs.conf                             interval = 60
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf               port = 4739
C:\matthew\Splunk621\etc\apps\Splunk_TA_windows\local\inputs.conf               [WinEventLog://Application]
C:\matthew\Splunk621\etc\system\default\inputs.conf                             _rcvbuf = 1572864
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf               address = 0.0.0.0
C:\matthew\Splunk621\etc\system\default\inputs.conf                             baseline = 0
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf               buffer = 10485760
C:\matthew\Splunk621\etc\apps\Splunk_TA_windows\default\inputs.conf             checkpointInterval = 5
C:\matthew\Splunk621\etc\apps\Splunk_TA_windows\default\inputs.conf             current_only = 0
C:\matthew\Splunk621\etc\apps\Splunk_TA_windows\local\inputs.conf               disabled = 0
C:\matthew\Splunk621\etc\system\default\inputs.conf                             evt_dc_name =
C:\matthew\Splunk621\etc\system\default\inputs.conf                             evt_dns_name =
C:\matthew\Splunk621\etc\system\default\inputs.conf                             evt_resolve_ad_obj = 0
host = percy
C:\matthew\Splunk621\etc\apps\Splunk_TA_windows\default\inputs.conf             index = wineventlog
C:\matthew\Splunk621\etc\system\default\inputs.conf                             interval = 60
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf               port = 4739
C:\matthew\Splunk621\etc\apps\Splunk_TA_windows\default\inputs.conf             renderXml = false
C:\matthew\Splunk621\etc\apps\Splunk_TA_windows\default\inputs.conf             start_from = oldest

jcoates_splunk · ‎05-24-2015

Hello from the future... this is now using modular inputs and doesn't enable inputs by default.

mwong · ‎01-12-2015

For the Splunk_TA_ipfix app, the inputs should be modular input, the setting should be like below:

[ipfix://NetScaler_AppFlow]
sourcetype = xxx
index = aaaa
address = 0.0.0.0
port = 4739
buffer = 1048576
disabled = 0

However the default inputs.conf in the app, I would suggest to comment the stanza as it causes all the inputs having some weird settings.

#[ipfix]
#address = 0.0.0.0
#port = 4739
#buffer = 10485760

Several inputs enabled after Splunk_TA_ipfix installed

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!