Winevent security logs are consuming most of the license size limit. Tried reconfiguring the Forwarder after unchecking the winevent logs but still same.
Also tried configuring the below input.conf but still same
[WinEventLog://Application]
disabled = true
[WinEventLog://Security]
disabled = true
[WinEventLog://System]
disabled = true
Did you restart the forwarder after editing the config file?
Try running btool on the forwarder to verify you changed the right inputs.conf file.
C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe btool --debug inputs list | more
Hi,
thanks for your Inputs.
Yes, I did the restart after updating the input.conf file.
And, I am getting below output after running the btool debug,
evt_dns_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
evt_resolve_ad_obj = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
filesPerDelay = 10
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
followLinks = false
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
fullEvent = false
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
hashMaxSize = -1
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
host = $decideOnStartup
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
index = default
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
pollPeriod = 600
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
recurse = true
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
sendEventMaxSize = -1
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
signedaudit = true
C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_httpinput\default\inpu
ts.conf [http]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
_rcvbuf = 1572864
C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_httpinput\default\inpu
ts.conf allowSslCompression = true
C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_httpinput\default\inpu
ts.conf allowSslRenegotiation = true
C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_httpinput\default\inpu
ts.conf dedicatedIoThreads = 2
C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_httpinput\default\inpu
ts.conf disabled = 1
C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_httpinput\default\inpu
ts.conf enableSSL = 1
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
evt_dc_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
evt_dns_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
evt_resolve_ad_obj = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
host = $decideOnStartup
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
index = default
C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_httpinput\default\inpu
ts.conf maxSockets = 0
C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_httpinput\default\inpu
ts.conf maxThreads = 0
C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_httpinput\default\inpu
ts.conf port = 8088
C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_httpinput\default\inpu
ts.conf sslVersions = *,-ssl2
C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_httpinput\default\inpu
ts.conf useDeploymentServer = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
[monitor://C:\Program Files\SplunkUniversalForwarder\etc\splunk.
version]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
_TCP_ROUTING = *
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
_rcvbuf = 1572864
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
evt_dc_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
evt_dns_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
evt_resolve_ad_obj = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
host = $decideOnStartup
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
index = _internal
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
sourcetype = splunk_version
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
[monitor://C:\Program Files\SplunkUniversalForwarder\var\log\spl
unk]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
_rcvbuf = 1572864
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
evt_dc_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
evt_dns_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
evt_resolve_ad_obj = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
host = $decideOnStartup
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
index = _internal
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
[monitor://C:\Program Files\SplunkUniversalForwarder\var\log\spl
unk\license_usage_summary.log]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
_rcvbuf = 1572864
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
evt_dc_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
evt_dns_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
evt_resolve_ad_obj = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
host = $decideOnStartup
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
index = _telemetry
C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\defa
ult\inputs.conf [monitor://C:\Program Files\SplunkUniversalForwarder\var\log\spl
unk\metrics.log]
C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\defa
ult\inputs.conf _TCP_ROUTING = *
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
_rcvbuf = 1572864
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
evt_dc_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
evt_dns_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
evt_resolve_ad_obj = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
host = $decideOnStartup
C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\defa
ult\inputs.conf index = _internal
C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\defa
ult\inputs.conf [monitor://C:\Program Files\SplunkUniversalForwarder\var\log\spl
unk\splunkd.log]
C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\defa
ult\inputs.conf _TCP_ROUTING = *
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
_rcvbuf = 1572864
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
evt_dc_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
evt_dns_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
evt_resolve_ad_obj = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
host = $decideOnStartup
C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\defa
ult\inputs.conf index = _internal
C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf
[monitor://C:\inetpub\logs\LogFiles]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
_rcvbuf = 1572864
C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf
crcSalt = <SOURCE>
C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf
disabled = false
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
evt_dc_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
evt_dns_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
evt_resolve_ad_obj = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
host = $decideOnStartup
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
index = default
C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf
sourcetype = ms:iis:default
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
[script]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
_rcvbuf = 1572864
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
evt_dc_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
evt_dns_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
evt_resolve_ad_obj = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
host = $decideOnStartup
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
index = default
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
interval = 60.0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
start_by_shell = false
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
[script://C:\Program Files\SplunkUniversalForwarder\bin\scripts\
splunk-wmi.path]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
_rcvbuf = 1572864
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
disabled = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
evt_dc_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
evt_dns_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
evt_resolve_ad_obj = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
host = $decideOnStartup
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
index = default
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
interval = 10000000
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
persistentQueueSize = 200MB
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
queue = winparsing
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
source = wmi
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
sourcetype = wmi
C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\defa
ult\inputs.conf [splunktcp]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
_rcvbuf = 1572864
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
acceptFrom = *
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
connection_host = ip
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
evt_dc_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
evt_dns_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
evt_resolve_ad_obj = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
host = $decideOnStartup
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
index = default
C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\defa
ult\inputs.conf route = has_key:tautology:parsingQueue;absent_key:tautology:pars
ingQueue
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
[tcp]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
_rcvbuf = 1572864
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
acceptFrom = *
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
connection_host = dns
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
evt_dc_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
evt_dns_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
evt_resolve_ad_obj = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
host = $decideOnStartup
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
index = default
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
[udp]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
_rcvbuf = 1572864
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
connection_host = ip
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
evt_dc_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
evt_dns_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
evt_resolve_ad_obj = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
host = $decideOnStartup
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
index = default
Rich is correct. This should stop the flow of logs. If they're still coming in, you can always remove all the 3 stanzas from inputs.conf, copy them in a notepad or elsewhere to revisit them if you need to in the future,and restart splunkd. That surely will do it.
FYI: When we mean restart splunkd, we mean restart it on the system on which the forwarder is installed.
If you're managing this from the deployment master, then make sure that deployment app, under which this system falls, has the capability to Restart splunkd. Only then will you be able to make the changes effective from the deployment master. You can always edit the app and add the capability of restarting splunkd and save it. Make sure that the app is still enabled after the change. I've had times where after making the changes, the app gets disabled.
Hope this helps. Whichever solution works for you, please accept it as answer.
S