We have one server which sends many logs say per hour 4000 logs which are not required i.e. event ID of 560 and 562. As we don't want these logs we have disabled the auditing in the respective server, since it was of no luck we were still receiving the logs.
Post which we disabled and uninstalled Splunk Forwarder, uninstalled the respective software which sends logs to Splunk and also we are seeing huge logs of that particular server. Anywhere else we need to disable?
Not at all possible. when a software doesnt exit/uninstalled how can it do its job ?!
This has been solved.
What was the solution?
Do you mean that you're still seeing new events from this server despite that you have inactivated these events and also uninstalled the forwarder there? That seems...highly unlikely unless you did something seriously wrong...
Sorry it is not 4000 per hour, it is per minute