Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to prevent the default logs from being forwarded (Windows UF)

xnx_1012
Explorer
‎08-31-2021 01:52 AM

 

Hello,

Whenever I forward something, these logs always get forwarded despite I blacklisted it in the inputs .conf. Is there any way for it to be not forwarded at all

xnx_1012_0-1630399852443.png

Inputs.conf

[WinEventLog://Security]
index = windows_test
whitelist = EventCode=%^(4634)$%
sourcetype = ad:security
disabled = 0

[monitor://$SPLUNK_HOME\var\log\splunk]
disabled = 1
blacklist = %SplunkUniversalForwarder%

 

 

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-31-2021 02:00 AM

Hi @xnx_1012,

at first if you have "disabled=1" the stanza isn't read from Splunk so the blacklist configuration isn't used.

In addition, you're speaking of Splunk logs, that are in another inputs.conf, in "SPLUNK_HOME\etc\system\default\inputs.conf".

So if you want to block these logs, copy the inputs.conf from system\default to system\local and put "disabled=1" in all stanzas of inputs.conf.

Only to understand: why do you want to block these logs?

the internal Splunk logs don't compute any license consuption and are used to monitor the Splunk infrastructure, so I'd avoid to block them because they are useful!

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-31-2021 02:00 AM

Hi @xnx_1012,

at first if you have "disabled=1" the stanza isn't read from Splunk so the blacklist configuration isn't used.

In addition, you're speaking of Splunk logs, that are in another inputs.conf, in "SPLUNK_HOME\etc\system\default\inputs.conf".

So if you want to block these logs, copy the inputs.conf from system\default to system\local and put "disabled=1" in all stanzas of inputs.conf.

Only to understand: why do you want to block these logs?

the internal Splunk logs don't compute any license consuption and are used to monitor the Splunk infrastructure, so I'd avoid to block them because they are useful!

Ciao.

Giuseppe

Reply
Solved! Jump to solution

billy
Loves-to-Learn Everything
‎03-13-2024 03:42 PM

Hi @gcusello 

I found this post as I am trying to solve the same issue. I followed your suggestion and copied all the monitor  stanzas from system\default\inputs.conf to my inputs file in system\local\inputs.conf; and inserted "disable = 1" to all of them. Then I restarted splunk.

However, network capture from my Splunk Server still showing all the log entries being forwarded.

Below is my inputs.conf file. Do you know what could be the issue?

Thanks, Billy.

[monitor://C:\Program Files\SplunkUniversalForwarder\var\log\splunk]
disabled = 1
index = _internal

[monitor://C:\Program Files\SplunkUniversalForwarder\var\log\watchdog\watchdog.log*]
disabled = 1
index = _internal

[monitor://C:\Program Files\SplunkUniversalForwarder\var\log\splunk\license_usage_summary.log]
disabled = 1
index = _telemetry

[monitor://C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunk_instrumentation_cloud.log*]
disabled = 1
index = _telemetry
sourcetype = splunk_cloud_telemetry

[monitor://C:\Program Files\SplunkUniversalForwarder\etc\splunk.version]
disabled = 1
_TCP_ROUTING = *
index = _internal
sourcetype=splunk_version

[monitor://C:\Program Files\SplunkUniversalForwarder\var\log\splunk\configuration_change.log]
disabled = 1
index = _configtracker

[WinEventLog://Security]
disabled = 0
renderXml = 1
whitelist = 4624, 4634
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-14-2024 12:09 AM

Hi @billy ,

at first, don't attach a new question to another one especially when closed because it's more difficoult to have an answer, it's always better to open a new question, even if with the same topic, to have a surely faster and probably better answer.

Anyway, in this way you block the Splunk monitoring and it isn't a good idea because you're blind on Splunk running.

Why do you want this?

the Splunk logs don't consume license and you can limit the storage consuption using a limited (e.g. 7 days) retention on these logs.

Anyway, are you sure that you continue to receive these logs from that Forwarder?

I say this becsue with the configuration you shared isn't possible to receive these logs from that Forwarder.

Check if the logs you're receiving have that source (the ones in the monitor stanza header) and that host (the Forwarder where you changed the configuration.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

billy
Loves-to-Learn Everything
‎03-14-2024 07:13 PM

@gcusello 

Hi Giuseppe, thanks for the guidance! As you can tell I am a newbie here 😉 

Actually I did posted a new question here https://community.splunk.com/t5/Getting-Data-In/How-to-forward-only-Windows-events-XML-to-a-3rd-part....

I was struggling and saw your Q/A.

I understand filtering at forwarder is not a good idea.

In any case I've figured out how exactly to filter things out in Splunk Server so my 3rd party partner would get XmlWinEvtLog messages only.

Thanks again!

Billy

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...