All Apps and Add-ons
Highlighted

Splunk Add-on for Microsoft Windows 4.8.4 splunk-netmon.exe memory leak on host?

Explorer

I'm running the SplunkTAwindows app to collect host information from Windows Server 2012 R2 servers. If I start/restart the splunk forwarder service everything is fine however after a day or two the splunk-netmon.exe process seems to show signs of a memory leak. Over the course of a week or so the process will consume 80-90% of the host's memory. Has anyone else ran into this? I have this on multiple hosts running a mixed bag of different applications.

splunk forwarder version 6.6.6
splunk add on for microsoft windows version 4.8.4

inputs.conf for splunktawindows:

###### Network monitoring ######
[WinNetMon://inbound]
direction = inbound
disabled = 0
index = windows
packetType = accept;connect

[WinNetMon://outbound]
direction = outbound
disabled = 0
index = windows
packetType = accept;connect```
0 Karma
Highlighted

Re: Splunk Add-on for Microsoft Windows 4.8.4 splunk-netmon.exe memory leak on host?

Builder

I was never a fan of filtering options (on the uf) for this input type. recommend using sysinternals sysmon instead.

Here's your future search:

source="*WinEventLog:Microsoft-Windows-Sysmon/Operational" "<EventID>3</EventID>" OR EventCode="3"
 | table _time host source EventID RuleName, UtcTime, ProcessGuid, ProcessId, Image, User, Protocol, Initiated, SourceIsIpv6, SourceIp, SourceHostname, SourcePort, SourcePortName, DestinationIsIpv6, DestinationIp, DestinationHostname, DestinationPort, DestinationPortName 
 | sort 0 - _time
0 Karma