Getting Data In
Highlighted

How to disable processes run frequently by Splunk universal forwarder?

Path Finder

I see that these commands are executed every minute:

splunk-powershell.exe
splunk-winprintmon.exe
splunk-regmon.exe
splunk-netmon.exe
splunk-admon.exe
splunk-MonitorNoHandle.exe

The first one actually twice per minute.

Is there a way to disable these? are these some scripted inputs? I cannot locate them in the config.

I tried adding this for example to my config, but did not seem to change the anything:

[WinNetMon]
disabled = 1
[WinPrintMon]
disabled = 1
[WinRegMon]
disabled = 1
Highlighted

Re: How to disable processes run frequently by Splunk universal forwarder?

Splunk Employee
Splunk Employee

what version of the forwarder are you on? The newer versions don't install windows monitors by default more, IIRC. Checking...

0 Karma
Highlighted

Re: How to disable processes run frequently by Splunk universal forwarder?

Path Finder
C:\Program Files\SplunkUniversalForwarder\bin>.\splunk version
Splunk Universal Forwarder 6.5.1 (build f74036626f0c)
0 Karma
Highlighted

Re: How to disable processes run frequently by Splunk universal forwarder?

Path Finder

I did add SplunkTAwindows app, but then realized that even if I remove it and restart the service, these programs continue to run just as frequently....

0 Karma
Highlighted

Re: How to disable processes run frequently by Splunk universal forwarder?

Splunk Employee
Splunk Employee

yeah it looks as if the process spins up just to realize it doesn't have to run.

0 Karma
Highlighted

Re: How to disable processes run frequently by Splunk universal forwarder?

Path Finder

That would makes sense indeed. Thanks.
I hope someone figured out how to disable this behavior...

0 Karma
Highlighted

Re: How to disable processes run frequently by Splunk universal forwarder?

SplunkTrust
SplunkTrust

Have you tried (in a command window open as administrator):

splunk btool inputs list  --debug

That should tell you which file is enabling the inputs, perhaps there is another inputs.conf file enabling these inputs that you are not noticing...

0 Karma
Highlighted

Re: How to disable processes run frequently by Splunk universal forwarder?

Path Finder

I did, not sure I can identify the ones responsible for these programs..
The ones I suspected are the ones I tried to disable, see my original post, but to no avail.

$ cat   /cygdrive/d/LogServer/foo.txt | grep '\['
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        [MonitorNoHandle]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        [SSL]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        [WinEventLog]
C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf   [WinEventLog://Application]
C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf   [WinEventLog://Security]
C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf   [WinEventLog://System]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        [WinNetMon]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        [WinPrintMon]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        [WinRegMon]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        [admon]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        [batch://C:\Program Files\SplunkUniversalForwarder\var\spool\splunk]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        [batch://C:\Program Files\SplunkUniversalForwarder\var\spool\splunk\...stash_new]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        [blacklist:C:\Program Files\SplunkUniversalForwarder\etc\auth]
C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf                          [default]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        [fschange:C:\Program Files\SplunkUniversalForwarder\etc]
C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_httpinput\default\inputs.conf         [http]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        [monitor://C:\Program Files\SplunkUniversalForwarder\etc\splunk.version]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        [monitor://C:\Program Files\SplunkUniversalForwarder\var\log\splunk]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        [monitor://C:\Program Files\SplunkUniversalForwarder\var\log\splunk\license_usage_summary.log]
C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\inputs.conf [monitor://C:\Program Files\SplunkUniversalForwarder\var\log\splunk\metrics.log]
C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\inputs.conf [monitor://C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        [perfmon]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        [powershell]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        [powershell2]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        [script]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        [script://C:\Program Files\SplunkUniversalForwarder\bin\scripts\splunk-wmi.path]
C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\inputs.conf [splunktcp]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        [tcp]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        [udp]
0 Karma
Highlighted

Re: How to disable processes run frequently by Splunk universal forwarder?

SplunkTrust
SplunkTrust

Under:
[WinNetMon]
[WinPrintMon]
[WinRegMon]

Do you see the disabled = 1 ?

0 Karma
Highlighted

Re: How to disable processes run frequently by Splunk universal forwarder?

Path Finder

You're right, I don't see that! it ignored my input stanzas in :

C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf

for example:

C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        [WinNetMon]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        _rcvbuf = 1572864
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        baseline = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        evt_dc_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        evt_dns_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        evt_resolve_ad_obj = 0
host = idmsrv01
index = default
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        interval = 60
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        [WinPrintMon]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        _rcvbuf = 1572864
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        baseline = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        evt_dc_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        evt_dns_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        evt_resolve_ad_obj = 0
host = idmsrv01
index = default
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        interval = 60
0 Karma