Hi @gcusello 

I found this post as I am trying to solve the same issue. I followed your suggestion and copied all the monitor  stanzas from system\default\inputs.conf to my inputs file in system\local\inputs.conf; and inserted "disable = 1" to all of them. Then I restarted splunk.

However, network capture from my Splunk Server still showing all the log entries being forwarded.

Below is my inputs.conf file. Do you know what could be the issue?

Thanks, Billy.

[monitor://C:\Program Files\SplunkUniversalForwarder\var\log\splunk]
disabled = 1
index = _internal

[monitor://C:\Program Files\SplunkUniversalForwarder\var\log\watchdog\watchdog.log*]
disabled = 1
index = _internal

[monitor://C:\Program Files\SplunkUniversalForwarder\var\log\splunk\license_usage_summary.log]
disabled = 1
index = _telemetry

[monitor://C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunk_instrumentation_cloud.log*]
disabled = 1
index = _telemetry
sourcetype = splunk_cloud_telemetry

[monitor://C:\Program Files\SplunkUniversalForwarder\etc\splunk.version]
disabled = 1
_TCP_ROUTING = *
index = _internal
sourcetype=splunk_version

[monitor://C:\Program Files\SplunkUniversalForwarder\var\log\splunk\configuration_change.log]
disabled = 1
index = _configtracker

[WinEventLog://Security]
disabled = 0
renderXml = 1
whitelist = 4624, 4634

Hi @billy ,

at first, don't attach a new question to another one especially when closed because it's more difficoult to have an answer, it's always better to open a new question, even if with the same topic, to have a surely faster and probably better answer.

Anyway, in this way you block the Splunk monitoring and it isn't a good idea because you're blind on Splunk running.

Why do you want this?

the Splunk logs don't consume license and you can limit the storage consuption using a limited (e.g. 7 days) retention on these logs.

Anyway, are you sure that you continue to receive these logs from that Forwarder?

I say this becsue with the configuration you shared isn't possible to receive these logs from that Forwarder.

Check if the logs you're receiving have that source (the ones in the monitor stanza header) and that host (the Forwarder where you changed the configuration.

Ciao.

Giuseppe

@gcusello 

Hi Giuseppe, thanks for the guidance! As you can tell I am a newbie here 😉 

Actually I did posted a new question here https://community.splunk.com/t5/Getting-Data-In/How-to-forward-only-Windows-events-XML-to-a-3rd-part....

I was struggling and saw your Q/A.

I understand filtering at forwarder is not a good idea.

In any case I've figured out how exactly to filter things out in Splunk Server so my 3rd party partner would get XmlWinEvtLog messages only.

Thanks again!

Billy