Solved: Re: Disable forwarding of Windows Event Logs

chrissale · ‎02-11-2014

I am using a Universal Forwarder to collect events from a Windows server. In /etc/system/local I have created custom inputs.conf and outputs.conf to collect events from a log file and forward them on to an indexer. However, the indexer is also receiving events of the source type WinEventLog:Application, WinEventLog:System and WinEventLog:Security. How can I disable this?

Ayn · ‎02-11-2014

These are set in $SPLUNK_HOME\etc\apps\MSIcreated\default\inputs.conf. You could either change the values there so that these inputs are disabled, or override them by adding new stanzas in etc/system/local/inputs.conf where you disable the inputs.

View solution in original post

MuS · ‎02-11-2014

Hi chrissale,

either disable the Windows Add-on on the universal forwarder or setup route and filter on the indexer to filter out the unwanted events. The later must be done on the indexer and is only valid for new events coming in, because the raw data does not get parsed by the universal forwarder.

hope this helps ...

cheers, MuS

Ayn · ‎02-11-2014

These are set in $SPLUNK_HOME\etc\apps\MSIcreated\default\inputs.conf. You could either change the values there so that these inputs are disabled, or override them by adding new stanzas in etc/system/local/inputs.conf where you disable the inputs.

chrissale · ‎02-11-2014

Hi Ayn, thanks for the quick response. I don't have $SPLUNK_HOME\etc\apps\MSIcreated. Never-the-less I added to following stanzas to $SPLUNK_HOME\etc\system\local\inputs.conf and that seems to have done the trick.

[WinEventLog://Application]
disabled = true
[WinEventLog://Security]
disabled = true
[WinEventLog://System]
disabled = true

Disable forwarding of Windows Event Logs

Index This | Forward, I’m heavy; backward, I’m not. What am I?

A Guide To Cloud Migration Success

Join Us for Splunk University and Get Your Bootcamp Game On!