Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Disable forwarding of Windows Event Logs

chrissale
Explorer
‎02-11-2014 03:27 AM

I am using a Universal Forwarder to collect events from a Windows server. In /etc/system/local I have created custom inputs.conf and outputs.conf to collect events from a log file and forward them on to an indexer. However, the indexer is also receiving events of the source type WinEventLog:Application, WinEventLog:System and WinEventLog:Security. How can I disable this?

Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎02-11-2014 03:42 AM

These are set in $SPLUNK_HOME\etc\apps\MSIcreated\default\inputs.conf. You could either change the values there so that these inputs are disabled, or override them by adding new stanzas in etc/system/local/inputs.conf where you disable the inputs.

View solution in original post

Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎02-11-2014 03:44 AM

Hi chrissale,

either disable the Windows Add-on on the universal forwarder or setup route and filter on the indexer to filter out the unwanted events. The later must be done on the indexer and is only valid for new events coming in, because the raw data does not get parsed by the universal forwarder.

hope this helps ...

cheers, MuS

0 Karma
Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎02-11-2014 03:42 AM

These are set in $SPLUNK_HOME\etc\apps\MSIcreated\default\inputs.conf. You could either change the values there so that these inputs are disabled, or override them by adding new stanzas in etc/system/local/inputs.conf where you disable the inputs.

Reply
Solved! Jump to solution

chrissale
Explorer
‎02-11-2014 04:05 AM

Hi Ayn, thanks for the quick response. I don't have $SPLUNK_HOME\etc\apps\MSIcreated. Never-the-less I added to following stanzas to $SPLUNK_HOME\etc\system\local\inputs.conf and that seems to have done the trick.

[WinEventLog://Application]
disabled = true
[WinEventLog://Security]
disabled = true
[WinEventLog://System]
disabled = true

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

  Ready to master Kubernetes and cloud monitoring like the pros?Join Splunk’s Growth Engineering team for an ...

Wrapping Up Cybersecurity Awareness Month

October might be wrapping up, but for Splunk Education, cybersecurity awareness never goes out of season. ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...