Hi everyone, I’m trying to disable Windows Security Event logs on a Universal Forwarder using Deployment Server apps, but it’s not working. What I did: First I created an app called disable-security-event with local/inputs.conf:   [WinEventLog://Security] disabled = 1 Deployed it via Deployment Server → shows as successfully deployed on UF. Still Security logs keep coming. Then I read about alphabetical precedence, so I created another app ZZZ_disable_security with the same config. That also deployed fine, but btool still shows the disabled = 0 from:   C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf In Splunk Search I can still see Security logs arriving. So in short: Both apps were deployed successfully (I see them in console UI). But they don’t override the settings from SplunkUniversalForwarder\local\inputs.conf. Question: How can I properly override or disable Security Event logs defined in SplunkUniversalForwarder\local\inputs.conf using Deployment Server? Is there a way to make my custom app take precedence, or do I need to remove/modify that file manually? (I am doing it for education to learn Deployment Server, to understand how it works? I will attach a file of screenshots. Thanks! ... View more

Hi everyone, I installed a Splunk Universal Forwarder on a Windows server and by default it immediately started sending a huge amount of old Security/System logs. This quickly caused a license violation. Later I saw that in inputs.conf there is a parameter start_from = oldest. But during the UF installation (using the GUI) I didn’t see any option to control this. After installation it just started forwarding everything. So my question is when is the right time to configure start_from? ... View more