Getting Data In

How do I remove Security event logs as one of my data inputs

aywong
Path Finder

When I had initiall installed my forwarder I selected "security" as one of my inputs. Now I want to remove this as an input.

Tags (2)
0 Karma
1 Solution

MHibbin
Influencer

Assuming you are talking windows here...

There will be an inputs.conf with the Splunk directory on the forwarder. This could be in a system location or an application, so either (where $SPLUNK_HOME is the Splunk installation directory (e.g. D:\Program Files\Splunk\)):

$SPLUNK_HOME\etc\system\local\inputs.conf

OR

$SPLUNK_HOME\etc\apps\<appName>\default\inputs.conf

OR

$SPLUNK_HOME\etc\apps\<appName>\local\inputs.conf

In this file (should be easy to find in windows) there will probably be something like:

[WinEventLog:Security]
disabled = 0 

There may be some extra parameters, but you will need to change the "disabled = 0" to "disabled = 1". E.g:

[WinEventLog:Security]
disabled = 1

This will disable that input, you will then need to restart Splunk on the forwarder to make sure that changes are applied.

View solution in original post

MHibbin
Influencer

Assuming you are talking windows here...

There will be an inputs.conf with the Splunk directory on the forwarder. This could be in a system location or an application, so either (where $SPLUNK_HOME is the Splunk installation directory (e.g. D:\Program Files\Splunk\)):

$SPLUNK_HOME\etc\system\local\inputs.conf

OR

$SPLUNK_HOME\etc\apps\<appName>\default\inputs.conf

OR

$SPLUNK_HOME\etc\apps\<appName>\local\inputs.conf

In this file (should be easy to find in windows) there will probably be something like:

[WinEventLog:Security]
disabled = 0 

There may be some extra parameters, but you will need to change the "disabled = 0" to "disabled = 1". E.g:

[WinEventLog:Security]
disabled = 1

This will disable that input, you will then need to restart Splunk on the forwarder to make sure that changes are applied.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...