Hi everyone, I’m trying to disable Windows Security Event logs on a Universal Forwarder using Deployment Server apps, but it’s not working. What I did: First I created an app called disable-security-event with local/inputs.conf: [WinEventLog://Security] disabled = 1 Deployed it via Deployment Server → shows as successfully deployed on UF. Still Security logs keep coming. Then I read about alphabetical precedence, so I created another app ZZZ_disable_security with the same config. That also deployed fine, but btool still shows the disabled = 0 from: C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf In Splunk Search I can still see Security logs arriving. So in short: Both apps were deployed successfully (I see them in console UI). But they don’t override the settings from SplunkUniversalForwarder\local\inputs.conf. Question: How can I properly override or disable Security Event logs defined in SplunkUniversalForwarder\local\inputs.conf using Deployment Server? Is there a way to make my custom app take precedence, or do I need to remove/modify that file manually? (I am doing it for education to learn Deployment Server, to understand how it works? I will attach a file of screenshots. Thanks!
... View more