Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to edit inputs.conf to prevent WinNetMon from using up all my license?

brent_weaver
Builder
‎11-16-2016 08:17 AM

I enabled WinNetMon and need to throttle it back. Here is my inputs.conf:

###### Network monitoring ######
[WinNetMon://inbound]
direction = inbound
disabled = 1
interval = 60
readInterval = 500
index = os

[WinNetMon://outbound]
direction = outbound
disabled = 1
interval = 60
readInterval = 500
index = os

What can I tweak to make this less chatty? I do realize that there is a cost to doing this but my license is exhausted. As you can see I already changed readInterval from the default 100 to 500

Reply

templets
Path Finder
‎02-03-2017 01:10 PM

It seems that the default conf captures not just connection requests and accepts, but each packet (i.e. transport). Also, the events are duplicated in both the inbound and outbound sources.

I mitigated this by replacing the existing WinNetMon stanza with:

[WinNetMon://winnetmon]
direction = inbound;outbound
disabled = 0
index = windows
packetType = accept;connect
Reply

samhodgson
Path Finder
‎01-31-2018 07:09 AM

Genius! was seeing cpu utilisation of 20-40% on our DC's from the splunk-netmon process and this knocked it down to 2%.

0 Karma
Reply

SAF_IT
Engager
‎12-30-2016 10:38 AM

I am trying to figure this out too. Can someone provide some examples from the inputs.conf file?

Using multikv mode seems to break the Splunk Microsoft Windows App. for network monitoring.

0 Karma
Reply

PPape
Contributor
‎11-16-2016 08:56 AM

As described in Splunk Docs - inputs.conf you could Filter to remote Adresses, processes and users.

remoteAddress = <regular expression>
* A regular expression that represents the remote IP address of a
  host that is involved in network communication.
* This setting accepts a regular expression that matches against
  IP addresses only, not host names. For example: 192\.163\..*
* The input includes events for remote IP addresses that match
  the regular expression that you specify here.
* The input filters out events for remote IP addresses that do not
  match the regular expression.
* Defaults to unset (including all remote address events).

process = <regular expression>
* A regular expression that represents the process or application that
  performed a network access.
* The input includes events for processes that match the
  regular expression that you specify here.
* The input filters out events for processes that do not match the
  regular expression.
* Defaults to unset (including all processes and application events).

user = <regular expression>
* A regular expression that represents the Windows user name that
  performed a network access.
* The input includes events for user names that match the
  regular expression that you specify here.
* The input filters out events for user names that do not match the
  regular expression.
* Defaults to unset (including all user name events).
0 Karma
Reply

SAF_IT
Engager
‎01-04-2017 11:05 AM

I found that I could add

protocol = tcp;udp

to the inbound and outbound WinNetMon stanzas in inputs.conf file on the UF. That stopped the ICMP traffic, which helps.

0 Karma
Reply

brent_weaver
Builder
‎11-16-2016 01:07 PM

Thank you for the reply but i want all events just less of them...

0 Karma
Reply

miteshp250283
Path Finder
‎11-30-2016 10:05 PM

It doesn't matter how frequently you choose to receive the events within the 24-hour window, the license will still get consumed for that day.

The only way to keep data ingestion within license limits is, to filter unimportant events from coming in.

Reply

SAF_IT
Engager
‎01-04-2017 10:09 AM

I'm wrestling with this as well. The WinNetMon traffic generates the largest number of events. Is there a way to write a RegEx to exclude processes, like ICMP which generates a lot of traffic?

0 Karma
Reply

SAF_IT
Engager
‎01-04-2017 11:26 AM

I found that I could add

protocol = tcp;udp

to the inbound and outbound WinNetMon stanzas in inputs.conf file on the UF. That stopped the ICMP traffic, which helps.

0 Karma
Reply

brent_weaver
Builder
‎11-16-2016 01:06 PM

I dont want to filter on just process and user, i want all of the data just not as frequently

0 Karma
Reply

jconger
Splunk Employee
Splunk Employee
‎11-16-2016 01:00 PM

In addition, setting the mode to multikv will help a lot as well.

0 Karma
Reply

emikulic
Explorer
‎10-18-2023 10:00 AM

This is an old post so a known issue. I think folks using ES app or using Splunk as a SIEM and almost any US Govt supplier will need most of that 'extra' info for any IT sec forensic analysis. Most all US Govt suppliers are subject to NIST now and CMMC coming in 2024. I would imagine HIPPA, SOX, GDPR, GLBA, and CCPA companies systems will need that as well.

It is noisy but attacks are very often using non-standard ports to transfer information/data to/from an outside host like ICMP, SSH, and RDP as most application level IDS/IPS are looking at 80/443 inspection.

For general SMB and Small Enterprise this is probably viable in some respects though.

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...