Getting Data In

WinEvents are sent to indexer, but forwarder is disabled

Engager

I have turned this particular Universal Forwarder off ( it is for testing), however I continue to receive WinEvents from this server.

There is not a wmi.conf in any of the inputs for this forwarder. I have the forwarder service disabled and the outputs.conf has been renamed, and all of the monitor stanzas have been set to disabled.

How can I stop receiving the WinEvents (this is an extra 40 MB/day that I don't need indexed)?

0 Karma

Super Champion

If you stop the splunkd service on the forwarder, and you are still getting inputs, then you are getting them from wmi, which does not require a forwarder. WMI inputs are network based and controlled by the indexer configuration.

Check the wmi inputs on the indexer from Manager > inputs. You may see that wmi inputs are enabled for that server. If they are visible in Manager, then you can disable them from there. If there are no WMI inputs in Manager, the servers forwarder is stopped, and you are still getting data, then check the input.conf files manually.

You can also disable the wmi input on the indexer manually by setting the wmi input to disable = 1. You can find the wmi.conf files in TA_Windows, Windows, and System default and local inputs.conf files. The location of the input will vary depending on your configuration.

Super Champion

I agree, if all else fails then reinstall the forwarder. However, it does not matter that your indexer is RHEL when it comes to Splunk and WMI. What matters is what apps you have installed on the indexer, and what configurations you have in apps|system/local|default/inputs.conf|wmi.conf on the indexer.

0 Karma

Engager

There is not an WMI.conf on the indexer, which is RHEL. I have checked the inputs for both the indexer and UF , added the WinEventLog stanzas and set those to disabled = 1 on the UF.

However I am still receiving the WinEventLogs from that forwarder. This is the only "off" forwarder on Windows that I have with this issue.

If all else failed I will just uninstall the UF until I need it .

0 Karma

Splunk Employee
Splunk Employee

Sounds like the WinEvents data is coming directly to your Splunk server. Check for the inputs there.

http://docs.splunk.com/Documentation/Splunk/5.0.4/Data/MonitorWindowsdata#Use_inputs.conf_to_configu...

0 Karma

Engager

I did as the documentation says, with no change in results.

The stanza had to be manually added to the inputs.conf on the UF. The default stanzas are disabled.

0 Karma