Getting Data In

How do I tell my Light Forwarder to stop forwarding internal logs?

Simeon
Splunk Employee
Splunk Employee

I have enabled the SplunkLightForwarder app and it sends internal logs to my indexers. Is there a way for me to stop the logs from being sent?

0 Karma
1 Solution

Simeon
Splunk Employee
Splunk Employee

In version 4.1.x, the Splunk Light Forwarder app is now configured to send internal logs to the indexer. To disable this, you can create an inputs.conf setting on the Forwarding machine that turns off these inputs. If you have a custom app that sets your inputs.conf on the forwarder, then you can add the following line to the local settings within that app. Otherwise, you should create a $SPLUNK_HOME/etc/apps/SplunkLightForwarder/local/inputs.conf file that contains the following lines:

[monitor://$SPLUNK_HOME/var/log/splunk]
disabled = true

You may also individually disable each occurrence:

[monitor://$SPLUNK_HOME/var/log/splunk/metrics.log]
disabled = true

[monitor://$SPLUNK_HOME/var/log/splunk/splunkd.log]
disabled = true

[monitor://$SPLUNK_HOME/var/log/splunk/license_audit.log]
disabled = true

Note: when running "splunk list monitor", you will still see these files as being monitored even though they are disabled.

View solution in original post

Simeon
Splunk Employee
Splunk Employee

In version 4.1.x, the Splunk Light Forwarder app is now configured to send internal logs to the indexer. To disable this, you can create an inputs.conf setting on the Forwarding machine that turns off these inputs. If you have a custom app that sets your inputs.conf on the forwarder, then you can add the following line to the local settings within that app. Otherwise, you should create a $SPLUNK_HOME/etc/apps/SplunkLightForwarder/local/inputs.conf file that contains the following lines:

[monitor://$SPLUNK_HOME/var/log/splunk]
disabled = true

You may also individually disable each occurrence:

[monitor://$SPLUNK_HOME/var/log/splunk/metrics.log]
disabled = true

[monitor://$SPLUNK_HOME/var/log/splunk/splunkd.log]
disabled = true

[monitor://$SPLUNK_HOME/var/log/splunk/license_audit.log]
disabled = true

Note: when running "splunk list monitor", you will still see these files as being monitored even though they are disabled.

fuyong518
New Member

I attempted to disable the logging with $SPLUNK_HOME/var/log/splunk but it did not change anything.

I currently have problems with 2 x Windows 2008 with UAC enabled. Other Windows 2003 and 2008 WITHOUT UAC are fine. This leads me to believe it is the problem of the forwarder itself. I also tried to install forwarder with administrator rights. Unfortunately nothing has helped so far.

I tried Universal Forwarder 6.2.2, 6.2.4, and the server is 6.2.2.

Does anyone have similar issue?

0 Karma

piebob
Splunk Employee
Splunk Employee

i suggest you ask this question as a separate question; the question you're commenting on is 5 years old.

0 Karma

fuyong518
New Member

I am a new user and I can't post more than 2 comments on my first day. Is there any way to grant me permission to post more?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...