Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I tell my Light Forwarder to stop forwarding internal logs?

Simeon
Splunk Employee
Splunk Employee
‎07-08-2010 04:52 PM

I have enabled the SplunkLightForwarder app and it sends internal logs to my indexers. Is there a way for me to stop the logs from being sent?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Simeon
Splunk Employee
Splunk Employee
‎07-08-2010 04:55 PM

In version 4.1.x, the Splunk Light Forwarder app is now configured to send internal logs to the indexer. To disable this, you can create an inputs.conf setting on the Forwarding machine that turns off these inputs. If you have a custom app that sets your inputs.conf on the forwarder, then you can add the following line to the local settings within that app. Otherwise, you should create a $SPLUNK_HOME/etc/apps/SplunkLightForwarder/local/inputs.conf file that contains the following lines:

[monitor://$SPLUNK_HOME/var/log/splunk]
disabled = true

You may also individually disable each occurrence:

[monitor://$SPLUNK_HOME/var/log/splunk/metrics.log]
disabled = true

[monitor://$SPLUNK_HOME/var/log/splunk/splunkd.log]
disabled = true

[monitor://$SPLUNK_HOME/var/log/splunk/license_audit.log]
disabled = true

Note: when running "splunk list monitor", you will still see these files as being monitored even though they are disabled.

View solution in original post

Reply
Solved! Jump to solution
Solution

Simeon
Splunk Employee
Splunk Employee
‎07-08-2010 04:55 PM

In version 4.1.x, the Splunk Light Forwarder app is now configured to send internal logs to the indexer. To disable this, you can create an inputs.conf setting on the Forwarding machine that turns off these inputs. If you have a custom app that sets your inputs.conf on the forwarder, then you can add the following line to the local settings within that app. Otherwise, you should create a $SPLUNK_HOME/etc/apps/SplunkLightForwarder/local/inputs.conf file that contains the following lines:

[monitor://$SPLUNK_HOME/var/log/splunk]
disabled = true

You may also individually disable each occurrence:

[monitor://$SPLUNK_HOME/var/log/splunk/metrics.log]
disabled = true

[monitor://$SPLUNK_HOME/var/log/splunk/splunkd.log]
disabled = true

[monitor://$SPLUNK_HOME/var/log/splunk/license_audit.log]
disabled = true

Note: when running "splunk list monitor", you will still see these files as being monitored even though they are disabled.

Reply
Solved! Jump to solution

fuyong518
New Member
‎08-02-2015 09:51 PM

I attempted to disable the logging with $SPLUNK_HOME/var/log/splunk but it did not change anything.

I currently have problems with 2 x Windows 2008 with UAC enabled. Other Windows 2003 and 2008 WITHOUT UAC are fine. This leads me to believe it is the problem of the forwarder itself. I also tried to install forwarder with administrator rights. Unfortunately nothing has helped so far.

I tried Universal Forwarder 6.2.2, 6.2.4, and the server is 6.2.2.

Does anyone have similar issue?

0 Karma
Reply
Solved! Jump to solution

piebob
Splunk Employee
Splunk Employee
‎08-02-2015 10:36 PM

i suggest you ask this question as a separate question; the question you're commenting on is 5 years old.

0 Karma
Reply
Solved! Jump to solution

fuyong518
New Member
‎08-02-2015 10:44 PM

I am a new user and I can't post more than 2 comments on my first day. Is there any way to grant me permission to post more?

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...