Any reason why Btool might be continuously logging...

hagjos43 · ‎01-19-2016

One of my windows indexers is constantly writing to the btool log in DEBUG mode. I didn't build this environment, but I now manage it. Any reason why this would happen? I'm assuming it's something someone turned on in the past and never turned off. How do I go about disabling this?

Thanks

MuS · ‎01-19-2016

Hi hagjos43,

Either check in the UI Server settings » Server logging the btool-support log channel or on the file system of the server goto $SPLUNK_HOME/etc/ and check the settings in log-btool.cfg or log-local.cfg related to btool.
Don forget to restart Splunk after any logging changes.

Hope this helps ...

cheers, MuS

hagjos43 · ‎01-20-2016

Thanks for the response!

I couldn't post an imagine in the comment section so please see my "Answer" below".

hagjos43 · ‎01-20-2016

so I have a log-btool-debug.cfg listed. Is that why this would be enabled? There is a few -debug files listed (see image).
alt text

MuS · ‎01-20-2016

Those are the default .cfg files, you have to check if either the btool log channel is set to debug or if for what ever reason Splunk is started in debug mode - see the docs http://docs.splunk.com/Documentation/Splunk/6.3.2/Troubleshooting/Enabledebuglogging

Any reason why Btool might be continuously logging in DEBUG mode?

Detecting Brute Force Account Takeover Fraud with Splunk

Buttercup Games: Further Dashboarding Techniques (Part 9)

Buttercup Games: Further Dashboarding Techniques (Part 8)

Are you a member of the Splunk Community?

Any reason why Btool might be continuously logging in DEBUG mode?

Detecting Brute Force Account Takeover Fraud with Splunk

Buttercup Games: Further Dashboarding Techniques (Part 9)

Buttercup Games: Further Dashboarding Techniques (Part 8)