Getting Data In

How to edit inputs.conf to prevent WinNetMon from using up all my license?

Builder

I enabled WinNetMon and need to throttle it back. Here is my inputs.conf:

###### Network monitoring ######
[WinNetMon://inbound]
direction = inbound
disabled = 1
interval = 60
readInterval = 500
index = os

[WinNetMon://outbound]
direction = outbound
disabled = 1
interval = 60
readInterval = 500
index = os

What can I tweak to make this less chatty? I do realize that there is a cost to doing this but my license is exhausted. As you can see I already changed readInterval from the default 100 to 500

Path Finder

It seems that the default conf captures not just connection requests and accepts, but each packet (i.e. transport). Also, the events are duplicated in both the inbound and outbound sources.

I mitigated this by replacing the existing WinNetMon stanza with:

[WinNetMon://winnetmon]
direction = inbound;outbound
disabled = 0
index = windows
packetType = accept;connect

Path Finder

Genius! was seeing cpu utilisation of 20-40% on our DC's from the splunk-netmon process and this knocked it down to 2%.

0 Karma

Engager

I am trying to figure this out too. Can someone provide some examples from the inputs.conf file?

Using multikv mode seems to break the Splunk Microsoft Windows App. for network monitoring.

0 Karma

Contributor

As described in Splunk Docs - inputs.conf you could Filter to remote Adresses, processes and users.

remoteAddress = <regular expression>
* A regular expression that represents the remote IP address of a
  host that is involved in network communication.
* This setting accepts a regular expression that matches against
  IP addresses only, not host names. For example: 192\.163\..*
* The input includes events for remote IP addresses that match
  the regular expression that you specify here.
* The input filters out events for remote IP addresses that do not
  match the regular expression.
* Defaults to unset (including all remote address events).

process = <regular expression>
* A regular expression that represents the process or application that
  performed a network access.
* The input includes events for processes that match the
  regular expression that you specify here.
* The input filters out events for processes that do not match the
  regular expression.
* Defaults to unset (including all processes and application events).

user = <regular expression>
* A regular expression that represents the Windows user name that
  performed a network access.
* The input includes events for user names that match the
  regular expression that you specify here.
* The input filters out events for user names that do not match the
  regular expression.
* Defaults to unset (including all user name events).
0 Karma

Engager

I found that I could add

protocol = tcp;udp

to the inbound and outbound WinNetMon stanzas in inputs.conf file on the UF. That stopped the ICMP traffic, which helps.

0 Karma

Builder

Thank you for the reply but i want all events just less of them...

0 Karma

Explorer

It doesn't matter how frequently you choose to receive the events within the 24-hour window, the license will still get consumed for that day.

The only way to keep data ingestion within license limits is, to filter unimportant events from coming in.

Engager

I'm wrestling with this as well. The WinNetMon traffic generates the largest number of events. Is there a way to write a RegEx to exclude processes, like ICMP which generates a lot of traffic?

0 Karma

Engager

I found that I could add

protocol = tcp;udp

to the inbound and outbound WinNetMon stanzas in inputs.conf file on the UF. That stopped the ICMP traffic, which helps.

0 Karma

Builder

I dont want to filter on just process and user, i want all of the data just not as frequently

0 Karma

Splunk Employee
Splunk Employee

In addition, setting the mode to multikv will help a lot as well.

0 Karma