Hi,
I noticed this in my Linux UFW splunkd.log:
12-08-2014 20:39:00.162 -0500 INFO SpecFiles - Found external scheme definition for stanza "WinNetMon://" with 15 parameters: remoteAddress, process, user, addressFamily, packetType, direction, protocol, readInterval, driverBufferSize, userBufferSize, mode, multikvMaxEventCount, multikvMaxTimeMs, disabled, index
12-08-2014 20:39:00.162 -0500 INFO SpecFiles - Found external scheme definition for stanza "WinPrintMon://" with 4 parameters: type, baseline, disabled, index
12-08-2014 20:39:00.162 -0500 INFO SpecFiles - Found external scheme definition for stanza "WinRegMon://" with 7 parameters: proc, hive, type, baseline, baseline_interval, disabled, index
12-08-2014 20:39:00.162 -0500 INFO SpecFiles - Found external scheme definition for stanza "admon://" with 7 parameters: targetDc, startingNode, monitorSubtree, disabled, index, printSchema, baseline
12-08-2014 20:39:00.162 -0500 INFO SpecFiles - Found external scheme definition for stanza "perfmon://" with 10 parameters: object, counters, instances, interval, mode, samplingInterval, stats, disabled, index, showZeroValue
Why is a Linux UFW reporting on Windows monitors?
I don't know if you have resolved this or not, but my first guess would be that the Splunk_TA_windows got deployed to the *nix UF, possibly via a deployment server if you use one.
You could check this with the btool command, which on *nix if you installed in the default location would be /opt/splunk/bin/splunk cmd btool --debug inputs list
or to specifically just see one of the above, perhaps /opt/splunk/bin/splunk cmd btool --debug inputs list WinRegMon
.
That should output from which app the input stanzas are being read. Once you have the app name/directory, you could do a little manual sleuthing to see if you can figure out how it got there.