Assuming you are talking windows here...
There will be an inputs.conf
with the Splunk directory on the forwarder. This could be in a system location or an application, so either (where $SPLUNK_HOME
is the Splunk installation directory (e.g. D:\Program Files\Splunk\
)):
$SPLUNK_HOME\etc\system\local\inputs.conf
OR
$SPLUNK_HOME\etc\apps\<appName>\default\inputs.conf
OR
$SPLUNK_HOME\etc\apps\<appName>\local\inputs.conf
In this file (should be easy to find in windows) there will probably be something like:
[WinEventLog:Security]
disabled = 0
There may be some extra parameters, but you will need to change the "disabled = 0
" to "disabled = 1
". E.g:
[WinEventLog:Security]
disabled = 1
This will disable that input, you will then need to restart Splunk on the forwarder to make sure that changes are applied.
Assuming you are talking windows here...
There will be an inputs.conf
with the Splunk directory on the forwarder. This could be in a system location or an application, so either (where $SPLUNK_HOME
is the Splunk installation directory (e.g. D:\Program Files\Splunk\
)):
$SPLUNK_HOME\etc\system\local\inputs.conf
OR
$SPLUNK_HOME\etc\apps\<appName>\default\inputs.conf
OR
$SPLUNK_HOME\etc\apps\<appName>\local\inputs.conf
In this file (should be easy to find in windows) there will probably be something like:
[WinEventLog:Security]
disabled = 0
There may be some extra parameters, but you will need to change the "disabled = 0
" to "disabled = 1
". E.g:
[WinEventLog:Security]
disabled = 1
This will disable that input, you will then need to restart Splunk on the forwarder to make sure that changes are applied.