Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why am I seeing windows messages in a Linux UWF?

a212830
Champion
‎12-08-2014 05:45 PM

Hi,

I noticed this in my Linux UFW splunkd.log:

12-08-2014 20:39:00.162 -0500 INFO SpecFiles - Found external scheme definition for stanza "WinNetMon://" with 15 parameters: remoteAddress, process, user, addressFamily, packetType, direction, protocol, readInterval, driverBufferSize, userBufferSize, mode, multikvMaxEventCount, multikvMaxTimeMs, disabled, index
12-08-2014 20:39:00.162 -0500 INFO SpecFiles - Found external scheme definition for stanza "WinPrintMon://" with 4 parameters: type, baseline, disabled, index
12-08-2014 20:39:00.162 -0500 INFO SpecFiles - Found external scheme definition for stanza "WinRegMon://" with 7 parameters: proc, hive, type, baseline, baseline_interval, disabled, index
12-08-2014 20:39:00.162 -0500 INFO SpecFiles - Found external scheme definition for stanza "admon://" with 7 parameters: targetDc, startingNode, monitorSubtree, disabled, index, printSchema, baseline
12-08-2014 20:39:00.162 -0500 INFO SpecFiles - Found external scheme definition for stanza "perfmon://" with 10 parameters: object, counters, instances, interval, mode, samplingInterval, stats, disabled, index, showZeroValue

Why is a Linux UFW reporting on Windows monitors?

Tags (2)
0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎07-21-2015 10:58 AM

I don't know if you have resolved this or not, but my first guess would be that the Splunk_TA_windows got deployed to the *nix UF, possibly via a deployment server if you use one.

You could check this with the btool command, which on *nix if you installed in the default location would be /opt/splunk/bin/splunk cmd btool --debug inputs list or to specifically just see one of the above, perhaps /opt/splunk/bin/splunk cmd btool --debug inputs list WinRegMon.

That should output from which app the input stanzas are being read. Once you have the app name/directory, you could do a little manual sleuthing to see if you can figure out how it got there.

0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...