Installation

Why does splunkd.exe have a spike in connections?

chanthongphiob
Path Finder

Why does the "Application Name: \device\harddiskvolume2\program files\splunkuniversalforwarder\bin\splunkd.exe" make excessive connections to the machine? I have run into this issue of it maxing out my license, but would like to know the root cause of excessive connections.

0 Karma

solarboyz1
Builder

Event ID 5156, documents each time WFP allows a program to connect to another process (on the same or a remote computer) on a TCP or UDP port.

The Splunk UF (\splunkuniversalforwarder\bin\splunkd.exe) connects to the configured Splunk indexers, to send events.

It sounds like you may be running into a loop that is exponentially increasing your logging to Splunk.

  1. An event occurs
  2. Splunk UF connects to indexer to send event
  3. WFP logs 5156 for the connection to the indexers
  4. Splunk UF Connects to indexer to send WFP 5156 event
  5. WFP logs 5156 for the connection to the indexers
  6. Splunk UF Connects to indexer to send WFP 5156 event
  7. etc....

There should be an inputs.conf stanza that defines the monitoring of the windows eventlog that is picking up these events.
You can find that with the following command:

c:\Program Files\SplunkUniversalForwarder\bin>splunk btool --debug inputs list WinEventLog://Security

You will can then blacklist the 5156 events, which will stop them from being ingested by splunk:

inputs.conf:

[WinEventLog://Security]
blacklist1 = EventCode="5156"
0 Karma

solarboyz1
Builder

What do you mean by "make excessive connections to the machine?".

What is excessive? Millions, hundreds, ten?
What type of connection? ldap, wmi, https, etc..?
What machine? Is the universal forwarder running on the machine or connecting to it?

"I have run into this issue of it maxing out my license"

What license is it maxing out

0 Karma

chanthongphiob
Path Finder

This is all due to Event ID 5156: The Windows Filtering Platform has allowed a connection. By count of the logs, the number increased. Excessiveness varies according to machines. Machines are Windows boxes. Some machines were running approximately 1 million events everyday but jump to 25 million. Another machine averaged 5000 events per day and increased to 30 million per day.

The event produced includes information with the application name that is executing. The application is "Application Name: \device\harddiskvolume2\program files\splunkuniversalforwarder\bin\splunkd.exe".

As to the type of connection, I am uncertain. The log doesn't specify.

The license is my daily volume license.

I have seen another thread where there was a similar issue but the root cause to why the connections were happening was not given.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...