Getting Data In

Why is the Universal forwarder executing regmon, powershells and others with out them being explicitly configured?

afx
Contributor

Hi,
why is my UF on Windows executing various splunk-* tools without them beeing configured in any input?
Every few minutes I see them in sysmon:
splunk-powershell.exe
splunk-regmon.exe
splunk-powershell.exe
splunk-netmon.exe
splunk-admon.exe
splunk-MonitorNoHandle.exe
splunk-winprintmon.exe

I do not see them in any inputs.conf.

thx
afx

0 Karma
1 Solution

nickhills
Ultra Champion

In defaults/inputs.conf you should have something like this:

[admon]
 interval=60
 baseline=0

 [MonitorNoHandle]
 interval=60

 [WinEventLog]
 interval=60
 evt_resolve_ad_obj = 0
 evt_dc_name=
 evt_dns_name=

 [WinNetMon]
 interval=60

 [WinPrintMon]
 interval=60

 [WinRegMon]
 interval=60
 baseline=0

 [perfmon]
 interval=300

 [powershell]
 interval=60

 [powershell2]
 interval=60

disable them in local/inputs.conf like this:

 [perfmon]
 interval = -1

 [powershell]
 interval = -1

 [powershell2]
 interval = -1

 [admon]
 interval = -1

 [WinRegMon]
 interval = -1

 [WinNetMon]
 interval = -1

 [MonitorNoHandle]
 interval = -1

 [WinPrintMon]
 interval = -1

Just watch your config file precedence if you need to re-enable them later.
You want these defined at a lower level than anything you might need later, so pushing an app called "z_overrides" with them defined in local reduces the likelyhood of problems if you later enable them in another app (assuming you dont name all your apps z_something 🙂

If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma

jhornsby_splunk
Splunk Employee
Splunk Employee

Hi @afx,

Since version 7.3.0 of Splunk, there's also the new run_introspection configuration value. If you set that to false, and disabled to true for a particular modular input, then that input will never run (the alternative of interval = -1 means that the modular input will run once upon startup).

Cheers,

- Jo.

0 Karma

afx
Contributor

Still on 7.2.4, but good to know,
thx
afx

0 Karma

nickhills
Ultra Champion

In defaults/inputs.conf you should have something like this:

[admon]
 interval=60
 baseline=0

 [MonitorNoHandle]
 interval=60

 [WinEventLog]
 interval=60
 evt_resolve_ad_obj = 0
 evt_dc_name=
 evt_dns_name=

 [WinNetMon]
 interval=60

 [WinPrintMon]
 interval=60

 [WinRegMon]
 interval=60
 baseline=0

 [perfmon]
 interval=300

 [powershell]
 interval=60

 [powershell2]
 interval=60

disable them in local/inputs.conf like this:

 [perfmon]
 interval = -1

 [powershell]
 interval = -1

 [powershell2]
 interval = -1

 [admon]
 interval = -1

 [WinRegMon]
 interval = -1

 [WinNetMon]
 interval = -1

 [MonitorNoHandle]
 interval = -1

 [WinPrintMon]
 interval = -1

Just watch your config file precedence if you need to re-enable them later.
You want these defined at a lower level than anything you might need later, so pushing an app called "z_overrides" with them defined in local reduces the likelyhood of problems if you later enable them in another app (assuming you dont name all your apps z_something 🙂

If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma

afx
Contributor

Thanks,
looks like that worked (I also added a disabled=1 as I did not put it into a local file but pushed it via the deployment server).

thx
afx

0 Karma

nickhills
Ultra Champion

I think they get invoked periodically incase you have any inputs configured.
With no inputs of those typed defined, they execute and then quit.

The admon might also be invoked if you have any windows events configured with evt_resolve_ad_obj defined, but even if you don't I think it behaves the same way

If my comment helps, please give it a thumbs up!
0 Karma

afx
Contributor

Not very efficeint in my eyes and the fill up the sysmon execution log.
The only benefit is the liceence increase for Splunk ;-(

Any ideas on how to disable this?

thx
afx

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!