Hello,
I'm playing around in the lab and I've set up a configuration where a Splunk heavy forwarder is receiving Windows events from another computer, then forwarding via syslog to a SIEM system. Looking at the traffic in Wireshark, I can see the event logs going across, but I'm also seeing lots of Info Metrics events going as well.
How do I stop the Info Metrics events?
On the computer with the Splunk universal forwarder, I have the Windows security events logs forwarding to the Heavy forwarder using _TCP_ROUTING and the other logs/perfmon etc should be going via the standard defaultGroup parameter to another server.
On the heavy forwarder, the received data is routed to the syslog server (SIEM) using the _SYSLOG_ROUTING parameter in the inputs file, so only the received events from there should be routed to the syslog group.
My Splunk Heavy Forwarder inputs/outputs conf files are as follows
inputs.conf
# input for other servers
[splunktcp://9998]
disable=0
_SYSLOG_ROUTING = siem
[WinEventLog://Security]
_SYSLOG_ROUTING = siem
disabled = 0
index = wineventlog
outputs.conf
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = splunk.lab.local:9997
[syslog:siem]
server = siem.lab.local:514
type = udp
... View more