I have enabled the SplunkLightForwarder app and it sends internal logs to my indexers. Is there a way for me to stop the logs from being sent?
In version 4.1.x, the Splunk Light Forwarder app is now configured to send internal logs to the indexer. To disable this, you can create an inputs.conf setting on the Forwarding machine that turns off these inputs. If you have a custom app that sets your inputs.conf on the forwarder, then you can add the following line to the local settings within that app. Otherwise, you should create a $SPLUNK_HOME/etc/apps/SplunkLightForwarder/local/inputs.conf file that contains the following lines:
[monitor://$SPLUNK_HOME/var/log/splunk]
disabled = true
You may also individually disable each occurrence:
[monitor://$SPLUNK_HOME/var/log/splunk/metrics.log]
disabled = true
[monitor://$SPLUNK_HOME/var/log/splunk/splunkd.log]
disabled = true
[monitor://$SPLUNK_HOME/var/log/splunk/license_audit.log]
disabled = true
Note: when running "splunk list monitor", you will still see these files as being monitored even though they are disabled.
In version 4.1.x, the Splunk Light Forwarder app is now configured to send internal logs to the indexer. To disable this, you can create an inputs.conf setting on the Forwarding machine that turns off these inputs. If you have a custom app that sets your inputs.conf on the forwarder, then you can add the following line to the local settings within that app. Otherwise, you should create a $SPLUNK_HOME/etc/apps/SplunkLightForwarder/local/inputs.conf file that contains the following lines:
[monitor://$SPLUNK_HOME/var/log/splunk]
disabled = true
You may also individually disable each occurrence:
[monitor://$SPLUNK_HOME/var/log/splunk/metrics.log]
disabled = true
[monitor://$SPLUNK_HOME/var/log/splunk/splunkd.log]
disabled = true
[monitor://$SPLUNK_HOME/var/log/splunk/license_audit.log]
disabled = true
Note: when running "splunk list monitor", you will still see these files as being monitored even though they are disabled.
I attempted to disable the logging with $SPLUNK_HOME/var/log/splunk but it did not change anything.
I currently have problems with 2 x Windows 2008 with UAC enabled. Other Windows 2003 and 2008 WITHOUT UAC are fine. This leads me to believe it is the problem of the forwarder itself. I also tried to install forwarder with administrator rights. Unfortunately nothing has helped so far.
I tried Universal Forwarder 6.2.2, 6.2.4, and the server is 6.2.2.
Does anyone have similar issue?
i suggest you ask this question as a separate question; the question you're commenting on is 5 years old.
I am a new user and I can't post more than 2 comments on my first day. Is there any way to grant me permission to post more?