Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Winevent log utilizing the more license resources

svsecurity
Engager
‎07-28-2020 03:55 AM

Winevent security logs are consuming most of the license size limit. Tried reconfiguring the Forwarder after unchecking the winevent logs but still same.

Also tried configuring the below input.conf but still same

[WinEventLog://Application]

disabled = true

[WinEventLog://Security]

disabled = true

[WinEventLog://System]

disabled = true

Labels (1)
Labels
Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-28-2020 05:56 AM

Did you restart the forwarder after editing the config file?

Try running btool on the forwarder to verify you changed the right inputs.conf file.

C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe btool --debug inputs list | more
---
If this reply helps you, Karma would be appreciated.
Reply

svsecurity
Engager
‎07-28-2020 07:28 AM

Hi,

 

thanks for your Inputs.

Yes, I did the restart after updating the input.conf file.

And, I am getting below output after running the btool debug,

                evt_dns_name =

C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                evt_resolve_ad_obj = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                filesPerDelay = 10
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                followLinks = false
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                fullEvent = false
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                hashMaxSize = -1
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                host = $decideOnStartup
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                index = default
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                pollPeriod = 600
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                recurse = true
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                sendEventMaxSize = -1
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                signedaudit = true
C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_httpinput\default\inpu
ts.conf         [http]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                _rcvbuf = 1572864
C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_httpinput\default\inpu
ts.conf         allowSslCompression = true
C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_httpinput\default\inpu
ts.conf         allowSslRenegotiation = true
C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_httpinput\default\inpu
ts.conf         dedicatedIoThreads = 2
C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_httpinput\default\inpu
ts.conf         disabled = 1
C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_httpinput\default\inpu
ts.conf         enableSSL = 1
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                evt_dc_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                evt_dns_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                evt_resolve_ad_obj = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                host = $decideOnStartup
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                index = default
C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_httpinput\default\inpu
ts.conf         maxSockets = 0
C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_httpinput\default\inpu
ts.conf         maxThreads = 0
C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_httpinput\default\inpu
ts.conf         port = 8088
C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_httpinput\default\inpu
ts.conf         sslVersions = *,-ssl2
C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_httpinput\default\inpu
ts.conf         useDeploymentServer = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                [monitor://C:\Program Files\SplunkUniversalForwarder\etc\splunk.
version]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                _TCP_ROUTING = *
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                _rcvbuf = 1572864
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                evt_dc_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                evt_dns_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                evt_resolve_ad_obj = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                host = $decideOnStartup
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                index = _internal
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                sourcetype = splunk_version
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                [monitor://C:\Program Files\SplunkUniversalForwarder\var\log\spl
unk]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                _rcvbuf = 1572864
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                evt_dc_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                evt_dns_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                evt_resolve_ad_obj = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                host = $decideOnStartup
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                index = _internal
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                [monitor://C:\Program Files\SplunkUniversalForwarder\var\log\spl
unk\license_usage_summary.log]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                _rcvbuf = 1572864
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                evt_dc_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                evt_dns_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                evt_resolve_ad_obj = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                host = $decideOnStartup
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                index = _telemetry
C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\defa
ult\inputs.conf [monitor://C:\Program Files\SplunkUniversalForwarder\var\log\spl
unk\metrics.log]
C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\defa
ult\inputs.conf _TCP_ROUTING = *
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                _rcvbuf = 1572864
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                evt_dc_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                evt_dns_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                evt_resolve_ad_obj = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                host = $decideOnStartup
C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\defa
ult\inputs.conf index = _internal
C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\defa
ult\inputs.conf [monitor://C:\Program Files\SplunkUniversalForwarder\var\log\spl
unk\splunkd.log]
C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\defa
ult\inputs.conf _TCP_ROUTING = *
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                _rcvbuf = 1572864
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                evt_dc_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                evt_dns_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                evt_resolve_ad_obj = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                host = $decideOnStartup
C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\defa
ult\inputs.conf index = _internal
C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf
                [monitor://C:\inetpub\logs\LogFiles]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                _rcvbuf = 1572864
C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf
                crcSalt = <SOURCE>
C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf
                disabled = false
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                evt_dc_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                evt_dns_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                evt_resolve_ad_obj = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                host = $decideOnStartup
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                index = default
C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf
                sourcetype = ms:iis:default
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                [script]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                _rcvbuf = 1572864
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                evt_dc_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                evt_dns_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                evt_resolve_ad_obj = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                host = $decideOnStartup
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                index = default
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                interval = 60.0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                start_by_shell = false
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                [script://C:\Program Files\SplunkUniversalForwarder\bin\scripts\
splunk-wmi.path]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                _rcvbuf = 1572864
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                disabled = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                evt_dc_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                evt_dns_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                evt_resolve_ad_obj = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                host = $decideOnStartup
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                index = default
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                interval = 10000000
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                persistentQueueSize = 200MB
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                queue = winparsing
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                source = wmi
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                sourcetype = wmi
C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\defa
ult\inputs.conf [splunktcp]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                _rcvbuf = 1572864
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                acceptFrom = *
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                connection_host = ip
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                evt_dc_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                evt_dns_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                evt_resolve_ad_obj = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                host = $decideOnStartup
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                index = default
C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\defa
ult\inputs.conf route = has_key:tautology:parsingQueue;absent_key:tautology:pars
ingQueue
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                [tcp]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                _rcvbuf = 1572864
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                acceptFrom = *
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                connection_host = dns
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                evt_dc_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                evt_dns_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                evt_resolve_ad_obj = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                host = $decideOnStartup
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                index = default
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                [udp]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                _rcvbuf = 1572864
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                connection_host = ip
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                evt_dc_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                evt_dns_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                evt_resolve_ad_obj = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                host = $decideOnStartup
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
                index = default

Tags (2)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-28-2020 09:44 AM
I don't see WinEventLog in that output. Could explain why it's not working. 😉
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

shivanshu1593
Builder
‎07-29-2020 09:07 AM

Rich is correct. This should stop the flow of logs. If they're still coming in, you can always remove all the 3 stanzas from inputs.conf, copy them in a notepad or elsewhere to revisit them if you need to in the future,and restart splunkd. That surely will do it.

FYI: When we mean restart splunkd, we mean restart it on the system on which the forwarder is installed.

If you're managing this from the deployment master, then make sure that deployment app, under which this system falls, has the capability to Restart splunkd. Only then will you be able to make the changes effective from the deployment master. You can always edit the app and add the capability of restarting splunkd and save it. Make sure that the app is still enabled after the change. I've had times where after making the changes, the app gets disabled.

 

Hope this helps. Whichever solution works for you, please accept it as answer.

S

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...