I'm running the Splunk_TA_windows app to collect host information from Windows Server 2012 R2 servers. If I start/restart the splunk forwarder service everything is fine however after a day or two the splunk-netmon.exe process seems to show signs of a memory leak. Over the course of a week or so the process will consume 80-90% of the host's memory. Has anyone else ran into this? I have this on multiple hosts running a mixed bag of different applications.
splunk forwarder version 6.6.6
splunk add on for microsoft windows version 4.8.4
inputs.conf for splunk_ta_windows:
###### Network monitoring ######
[WinNetMon://inbound]
direction = inbound
disabled = 0
index = windows
packetType = accept;connect
[WinNetMon://outbound]
direction = outbound
disabled = 0
index = windows
packetType = accept;connect```
I was never a fan of filtering options (on the uf) for this input type. recommend using sysinternals sysmon instead.
Here's your future search:
source="*WinEventLog:Microsoft-Windows-Sysmon/Operational" "<EventID>3</EventID>" OR EventCode="3"
| table _time host source EventID RuleName, UtcTime, ProcessGuid, ProcessId, Image, User, Protocol, Initiated, SourceIsIpv6, SourceIp, SourceHostname, SourcePort, SourcePortName, DestinationIsIpv6, DestinationIp, DestinationHostname, DestinationPort, DestinationPortName
| sort 0 - _time