Splunk Universal Forwarder is v6.4.x
Splunk Server is v6.5.x
In C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local\inputs.conf , I have:
disabled = 0
index = wmi
I would normally see about 240 WinEventLog://Security "splunkd.exe" events logged per hour (for weeks).
Suddenly, that number jumped to over 4 million WinEventLog://Security "splunkd.exe" events logged per hour, and my indexing limit was exceeded.
Here's what gets logged:
SourceName=Microsoft Windows security auditing.
TaskCategory=Filtering Platform Connection
Message=The Windows Filtering Platform has permitted a connection.
Process ID: XXX
Application Name: \device\harddiskvolume2\program files\splunkuniversalforwarder\bin\splunkd.exe
Source Address: 10.X.X.X
Source Port: XXX
Destination Address: 172.X.X.X
Destination Port: XXX
Filter Run-Time ID: XXX
Layer Name: Connect
Layer Run-Time ID: X
What could have possibly changed in a Windows machine that suddenly makes it log so much WinEventLog:Security "splunkd.exe" events?
I could set disabled=1, but then I'd lose the ability to track who is logging in/out of that machine.
Is there any way to just omit logging these kind of "Audit Success" / "The Windows Filtering Platform has permitted a connection" events?
Did you ever figure out why the "Application Name: \device\harddiskvolume2\program files\splunkuniversalforwarder\bin\splunkd.exe" was making excessive connections to the machine? I have also run into this issue, but would like to know the root cause of excessive connections, and not excessive logs.
The excessive WinEventLog:Security events started the day some updates were pushed to the machine:
Microsoft Security Update for .NET
McAfee product updates (including Firewall update)
Hmm... But it could have been something else that triggered it too.