All Apps and Add-ons

Splunk Add-on for Microsoft Windows 4.8.4 splunk-netmon.exe memory leak on host?

bec
Explorer

I'm running the Splunk_TA_windows app to collect host information from Windows Server 2012 R2 servers. If I start/restart the splunk forwarder service everything is fine however after a day or two the splunk-netmon.exe process seems to show signs of a memory leak. Over the course of a week or so the process will consume 80-90% of the host's memory. Has anyone else ran into this? I have this on multiple hosts running a mixed bag of different applications.

splunk forwarder version 6.6.6
splunk add on for microsoft windows version 4.8.4

inputs.conf for splunk_ta_windows:

###### Network monitoring ######
[WinNetMon://inbound]
direction = inbound
disabled = 0
index = windows
packetType = accept;connect

[WinNetMon://outbound]
direction = outbound
disabled = 0
index = windows
packetType = accept;connect```
0 Karma

dstaulcu
Builder

I was never a fan of filtering options (on the uf) for this input type. recommend using sysinternals sysmon instead.

Here's your future search:

source="*WinEventLog:Microsoft-Windows-Sysmon/Operational" "<EventID>3</EventID>" OR EventCode="3"
 | table _time host source EventID RuleName, UtcTime, ProcessGuid, ProcessId, Image, User, Protocol, Initiated, SourceIsIpv6, SourceIp, SourceHostname, SourcePort, SourcePortName, DestinationIsIpv6, DestinationIp, DestinationHostname, DestinationPort, DestinationPortName 
 | sort 0 - _time
0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...