Splunk Add-on for Microsoft Windows 4.8.4 splunk-n...

bec · ‎12-28-2018

I'm running the Splunk_TA_windows app to collect host information from Windows Server 2012 R2 servers. If I start/restart the splunk forwarder service everything is fine however after a day or two the splunk-netmon.exe process seems to show signs of a memory leak. Over the course of a week or so the process will consume 80-90% of the host's memory. Has anyone else ran into this? I have this on multiple hosts running a mixed bag of different applications.

splunk forwarder version 6.6.6
splunk add on for microsoft windows version 4.8.4

inputs.conf for splunk_ta_windows:

###### Network monitoring ######
[WinNetMon://inbound]
direction = inbound
disabled = 0
index = windows
packetType = accept;connect

[WinNetMon://outbound]
direction = outbound
disabled = 0
index = windows
packetType = accept;connect```

dstaulcu · ‎12-28-2018

I was never a fan of filtering options (on the uf) for this input type. recommend using sysinternals sysmon instead.

Here's your future search:

source="*WinEventLog:Microsoft-Windows-Sysmon/Operational" "<EventID>3</EventID>" OR EventCode="3"
 | table _time host source EventID RuleName, UtcTime, ProcessGuid, ProcessId, Image, User, Protocol, Initiated, SourceIsIpv6, SourceIp, SourceHostname, SourcePort, SourcePortName, DestinationIsIpv6, DestinationIp, DestinationHostname, DestinationPort, DestinationPortName 
 | sort 0 - _time

Splunk Add-on for Microsoft Windows 4.8.4 splunk-netmon.exe memory leak on host?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!