Getting Data In

WinEvents are sent to indexer, but forwarder is disabled

erinhamilton
Engager

I have turned this particular Universal Forwarder off ( it is for testing), however I continue to receive WinEvents from this server.

There is not a wmi.conf in any of the inputs for this forwarder. I have the forwarder service disabled and the outputs.conf has been renamed, and all of the monitor stanzas have been set to disabled.

How can I stop receiving the WinEvents (this is an extra 40 MB/day that I don't need indexed)?

0 Karma

lukejadamec
Super Champion

If you stop the splunkd service on the forwarder, and you are still getting inputs, then you are getting them from wmi, which does not require a forwarder. WMI inputs are network based and controlled by the indexer configuration.

Check the wmi inputs on the indexer from Manager > inputs. You may see that wmi inputs are enabled for that server. If they are visible in Manager, then you can disable them from there. If there are no WMI inputs in Manager, the servers forwarder is stopped, and you are still getting data, then check the input.conf files manually.

You can also disable the wmi input on the indexer manually by setting the wmi input to disable = 1. You can find the wmi.conf files in TA_Windows, Windows, and System default and local inputs.conf files. The location of the input will vary depending on your configuration.

lukejadamec
Super Champion

I agree, if all else fails then reinstall the forwarder. However, it does not matter that your indexer is RHEL when it comes to Splunk and WMI. What matters is what apps you have installed on the indexer, and what configurations you have in apps|system/local|default/inputs.conf|wmi.conf on the indexer.

0 Karma

erinhamilton
Engager

There is not an WMI.conf on the indexer, which is RHEL. I have checked the inputs for both the indexer and UF , added the WinEventLog stanzas and set those to disabled = 1 on the UF.

However I am still receiving the WinEventLogs from that forwarder. This is the only "off" forwarder on Windows that I have with this issue.

If all else failed I will just uninstall the UF until I need it .

0 Karma

sdaniels
Splunk Employee
Splunk Employee

Sounds like the WinEvents data is coming directly to your Splunk server. Check for the inputs there.

http://docs.splunk.com/Documentation/Splunk/5.0.4/Data/MonitorWindowsdata#Use_inputs.conf_to_configu...

0 Karma

erinhamilton
Engager

I did as the documentation says, with no change in results.

The stanza had to be manually added to the inputs.conf on the UF. The default stanzas are disabled.

0 Karma
Get Updates on the Splunk Community!

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...

There's No Place Like Chrome and the Splunk Platform

WATCH NOW!Malware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

Customer Experience | Join the Customer Advisory Board!

Are you ready to take your Splunk journey to the next level? 🚀 We invite you to join our elite squad ...