Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I tell my Light Forwarder to stop forwarding internal logs?

Simeon
Splunk Employee
Splunk Employee
‎07-08-2010 04:52 PM

I have enabled the SplunkLightForwarder app and it sends internal logs to my indexers. Is there a way for me to stop the logs from being sent?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Simeon
Splunk Employee
Splunk Employee
‎07-08-2010 04:55 PM

In version 4.1.x, the Splunk Light Forwarder app is now configured to send internal logs to the indexer. To disable this, you can create an inputs.conf setting on the Forwarding machine that turns off these inputs. If you have a custom app that sets your inputs.conf on the forwarder, then you can add the following line to the local settings within that app. Otherwise, you should create a $SPLUNK_HOME/etc/apps/SplunkLightForwarder/local/inputs.conf file that contains the following lines:

[monitor://$SPLUNK_HOME/var/log/splunk]
disabled = true

You may also individually disable each occurrence:

[monitor://$SPLUNK_HOME/var/log/splunk/metrics.log]
disabled = true

[monitor://$SPLUNK_HOME/var/log/splunk/splunkd.log]
disabled = true

[monitor://$SPLUNK_HOME/var/log/splunk/license_audit.log]
disabled = true

Note: when running "splunk list monitor", you will still see these files as being monitored even though they are disabled.

View solution in original post

Reply
Solved! Jump to solution
Solution

Simeon
Splunk Employee
Splunk Employee
‎07-08-2010 04:55 PM

In version 4.1.x, the Splunk Light Forwarder app is now configured to send internal logs to the indexer. To disable this, you can create an inputs.conf setting on the Forwarding machine that turns off these inputs. If you have a custom app that sets your inputs.conf on the forwarder, then you can add the following line to the local settings within that app. Otherwise, you should create a $SPLUNK_HOME/etc/apps/SplunkLightForwarder/local/inputs.conf file that contains the following lines:

[monitor://$SPLUNK_HOME/var/log/splunk]
disabled = true

You may also individually disable each occurrence:

[monitor://$SPLUNK_HOME/var/log/splunk/metrics.log]
disabled = true

[monitor://$SPLUNK_HOME/var/log/splunk/splunkd.log]
disabled = true

[monitor://$SPLUNK_HOME/var/log/splunk/license_audit.log]
disabled = true

Note: when running "splunk list monitor", you will still see these files as being monitored even though they are disabled.

Reply
Solved! Jump to solution

fuyong518
New Member
‎08-02-2015 09:51 PM

I attempted to disable the logging with $SPLUNK_HOME/var/log/splunk but it did not change anything.

I currently have problems with 2 x Windows 2008 with UAC enabled. Other Windows 2003 and 2008 WITHOUT UAC are fine. This leads me to believe it is the problem of the forwarder itself. I also tried to install forwarder with administrator rights. Unfortunately nothing has helped so far.

I tried Universal Forwarder 6.2.2, 6.2.4, and the server is 6.2.2.

Does anyone have similar issue?

0 Karma
Reply
Solved! Jump to solution

piebob
Splunk Employee
Splunk Employee
‎08-02-2015 10:36 PM

i suggest you ask this question as a separate question; the question you're commenting on is 5 years old.

0 Karma
Reply
Solved! Jump to solution

fuyong518
New Member
‎08-02-2015 10:44 PM

I am a new user and I can't post more than 2 comments on my first day. Is there any way to grant me permission to post more?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...