Getting Data In

How to configure universal forwarder to ignore a directory

mysicksi
Path Finder

Hello,
I currently have a Splunk universal forwarder on a few of my windows servers. The UF config is received by my Splunk deployment server. I have .exe processes that are currently utilizing much of my license and would like to disable Splunk from indexing those processes.

All .exe processes I want to ignore are in the c:\Program Files (x86)\Camera System Center 6* subdirectory. I included * for all of them.

Would I just add something like below to the universal forwarder config file in the deployment server to achieve my goal?

(Pound sign here#) Disable Camera Process Monitoring
[monitor:c:\Program Files (x86)\Camera System Center 6\*]   
disabled = 1

Thank you!

0 Karma

nickhills
Ultra Champion

You will need to nullqueue these events.
These look like process monitoring events, so dropping just the events with your noisy process is the way to go.

I am going to assume these arrive with the sourcetype=proccess_logs.
I am also going to assume that whilst you have version 5.7 installed today it could be 6.0 in the future.

On your HF, or Indexers (whichever occurs first in the Splunk event flow path)

props.conf

[proccess_logs]
TRANSFORMS-drop_cctv_events=drop_cctv_events

transforms.conf

[drop_cctv_events]
REGEX=ProcessName\=.+camera\ssystem\scenter\s\d\.\d\\camerasystem\.exe
DEST_KEY=queue
FORMAT=nullQueue

This will only apply for data arriving from the time of the change, but this should prevent these logs being indexed in the future.

If my comment helps, please give it a thumbs up!
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Disabling an input turns off processing of the stanza. It's not the same as "don't ever read files matching this pattern". For that you want the blacklist attribute.

---
If this reply helps you, Karma would be appreciated.
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @mysicksi,
you have to insert in inputs.conf that takes these files a blacklist option

blacklist = <regular expression>
* If set, files from this input are NOT monitored if their path matches the
  specified regex.
* Takes precedence over the deprecated '_blacklist' setting, which functions
  the same way.
* If a file matches the regexes in both the blacklist and whitelist settings,
  the file is NOT monitored. Blacklists take precedence over whitelists.
* No default.

for more infos see at https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#Blacklist

In your case:

blacklist = c:\\Program Files \(x86\)\\Camera System Center 6

Otherwise, you can filter these logs on Indexers (or Heavy Forwarders when present) as described at https://docs.splunk.com/Documentation/Splunk/8.0.2/Forwarding/Routeandfilterdatad#Filter_event_data_... .

Ciao.
Giuseppe

0 Karma

mysicksi
Path Finder

Hello,

Thank you for the detailed response. It still did not work. I am actually using 5.7, so not sure if that broke your Regex.

Here is one of the events I searched that I would like to have ignored and not make it to my search head:

index="windows" ProcessName="c:\program files (x86)\camera system center 5.7\camerasystem.exe"

AddressFamily=ipv4
AddressFamilyId=2
PacketType=transport
PacketTypeId=2
Direction=outbound
Protocol=TCP
ProtocolId=6
LocalAddress=
LocalPort=5500
RemoteHostName=
RemoteAddress=
RemotePort=61439
ProcessName="c:\program files (x86)\camera system center 5.7\camerasystem.exe"
UserName="nt authority\system"
UserSid=s-1-5-18
UserId=0-0
HeaderSizeBytes=0
IPsecProtected=0
TransportHeaderSizeBytes=0

0 Karma

nickhills
Ultra Champion

What kind of logs are these - splunk will not index executable files, so I am not clear what you are trying to reduce.

Do you mean you are seeing a large number of events for this process in your winevent logs, or is this in some other sourcetype?

Can you post an example of the logs you want to ignore?

If my comment helps, please give it a thumbs up!

mysicksi
Path Finder

Here is one of the events I searched:

index="windows" ProcessName="c:\program files (x86)\camera system center 5.7\camerasystem.exe"

AddressFamily=ipv4
AddressFamilyId=2
PacketType=transport
PacketTypeId=2
Direction=outbound
Protocol=TCP
ProtocolId=6
LocalAddress=
LocalPort=5500
RemoteHostName=
RemoteAddress=
RemotePort=61439
ProcessName="c:\program files (x86)\camera system center 5.7\camerasystem.exe"
UserName="nt authority\system"
UserSid=s-1-5-18
UserId=0-0
HeaderSizeBytes=0
IPsecProtected=0
TransportHeaderSizeBytes=0

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...