I'd like to turn off a couple modular inputs on a universal forwarder, such as WinPrintMon. Two questions:
1) If there are no inputs.conf settings involving WinPrintMon other than the stanza definition in etc/system/default, does that mean it's not in use? Or is the input doing secret hidden things behind the scenes that might break if I turned it off?
2) If I didn't have access to the forwarder conf files, would there be a way to tell from the search interface whether a particular piece of data was sent via one of these inputs?
The best way to proceed, without access the target system is using a Deployment Server if you have, so I suggest to configure it just to manage these situations.
Every way, if the problem is to exclude these logs from your results you can insert in your searches
If the problem is to filer them to not overload your license, the best way is to filter them at the source in inputs.conf, or into the Indexer before index time:
in your app's props.conf
and in your app's transforms.conf
[set_WinPrintMon] REGEX=WinPrintMon DEST_KEY=_MetaData:Index FORMAT=your_index [set_nullqueue] REGEX=. DEST_KEY=queue FORMAT=nullQueue
I haven't a system to test WinPrintMon regex, so check it before.
Beware to the order in props.conf, if you change it, it doesn't work (in transforms.conf it isn't relevant).
mostly they would come with default sourcetype.
ya, as you said, If there are no inputs.conf settings involving WinPrintMon, we can say that printer monitoring is not configured.
Examples of Windows host monitoring configurations
Following are some examples of how to use the Windows host monitoring configuration attributes in inputs.conf.
# Monitor printers on system. [WinPrintMon://printer] type = printer baseline = 0 #Monitor print jobs. [WinPrintMon://job] type = job baseline = 1 # Monitor printer driver installation and removal. [WinPrintMon://driver] type = driver baseline = 1 # Monitor printer ports. [WinPrintMon://port] type = port baseline = 1