Hello All,
I have a distributed system where i have a heavy forwarder collecting traffic from the UF's and forwarding events to the indexer. I have a DMC which is on another server. Currently im getting bombarded with 5156 and 5157 error messages from windows security. Ive read somwhere that i can blacklist the values on inputs.conf. Can someone please let me know on which inputs.conf file on which server i have to do the blacklist on? Alternatively is there any other method to control this constant flow of data?
@ranjitbrhm1, add the following blacklist to your inputs.conf stanza to filter out events from UF:
blacklist = 5156,5157
Refer to documentation:
http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata#Use_the_Security_...
Thanks for the answer @niketnilay as always. I really appreciate it. But my main problem is on which %SPLUNK_HOME%\etc\system\local\inputs.conf do i make the changes to ? the app that i use to deploy the inputs.conf to the UF's. The heavy forwarders inputs or the indexers input. Thats the question that is boggling me. I tried sending out this change via the DMC on to the UF's but it does not have any effect it seems.
My inputs.conf file is as below
[WinEventLog://Application]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
index = winevents
[WinEventLog://Security]
checkpointInterval = 5
current_only = 0
disabled = 1
start_from = oldest
index = winevents
blacklist = 5156|5157|5158
[WinEventLog://System]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
index = winevents
[WinEventLog://ForwardedEvents]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
index = winevents
[perfmon://Windows__Processor]
counters = *
instances = _Total
interval = 10
object = Processor
index = winevents
[perfmon://Windows__Memory]
counters = Available Bytes
interval = 10
@ranjitbrhm1, the heavy forwarder should definitely be able to filter, but UF should be able to filter events upfront. If possible test with a standalone machine and Test Splunk server.
You can look into sending unwanted data to nullQueue before indexing, however, I strongly feel this should work. Let me convert my answer to comment for community Splunk experts to weigh in their opinion.
As always your help and suggestions are most appreciated. I will spin up a splunk server and a couple of clients and test this out. I myself have a couple of concepts that i need testing as well.
Thanks
/R