Hi,
why is my UF on Windows executing various splunk-* tools without them beeing configured in any input?
Every few minutes I see them in sysmon:
splunk-powershell.exe
splunk-regmon.exe
splunk-powershell.exe
splunk-netmon.exe
splunk-admon.exe
splunk-MonitorNoHandle.exe
splunk-winprintmon.exe
I do not see them in any inputs.conf.
thx
afx
In defaults/inputs.conf you should have something like this:
[admon]
interval=60
baseline=0
[MonitorNoHandle]
interval=60
[WinEventLog]
interval=60
evt_resolve_ad_obj = 0
evt_dc_name=
evt_dns_name=
[WinNetMon]
interval=60
[WinPrintMon]
interval=60
[WinRegMon]
interval=60
baseline=0
[perfmon]
interval=300
[powershell]
interval=60
[powershell2]
interval=60
disable them in local/inputs.conf like this:
[perfmon]
interval = -1
[powershell]
interval = -1
[powershell2]
interval = -1
[admon]
interval = -1
[WinRegMon]
interval = -1
[WinNetMon]
interval = -1
[MonitorNoHandle]
interval = -1
[WinPrintMon]
interval = -1
Just watch your config file precedence if you need to re-enable them later.
You want these defined at a lower level than anything you might need later, so pushing an app called "z_overrides" with them defined in local reduces the likelyhood of problems if you later enable them in another app (assuming you dont name all your apps z_something 🙂
Hi @afx,
Since version 7.3.0 of Splunk, there's also the new run_introspection
configuration value. If you set that to false
, and disabled
to true
for a particular modular input, then that input will never run (the alternative of interval = -1
means that the modular input will run once upon startup).
Cheers,
- Jo.
Still on 7.2.4, but good to know,
thx
afx
In defaults/inputs.conf you should have something like this:
[admon]
interval=60
baseline=0
[MonitorNoHandle]
interval=60
[WinEventLog]
interval=60
evt_resolve_ad_obj = 0
evt_dc_name=
evt_dns_name=
[WinNetMon]
interval=60
[WinPrintMon]
interval=60
[WinRegMon]
interval=60
baseline=0
[perfmon]
interval=300
[powershell]
interval=60
[powershell2]
interval=60
disable them in local/inputs.conf like this:
[perfmon]
interval = -1
[powershell]
interval = -1
[powershell2]
interval = -1
[admon]
interval = -1
[WinRegMon]
interval = -1
[WinNetMon]
interval = -1
[MonitorNoHandle]
interval = -1
[WinPrintMon]
interval = -1
Just watch your config file precedence if you need to re-enable them later.
You want these defined at a lower level than anything you might need later, so pushing an app called "z_overrides" with them defined in local reduces the likelyhood of problems if you later enable them in another app (assuming you dont name all your apps z_something 🙂
Thanks,
looks like that worked (I also added a disabled=1 as I did not put it into a local file but pushed it via the deployment server).
thx
afx
I think they get invoked periodically incase you have any inputs configured.
With no inputs of those typed defined, they execute and then quit.
The admon might also be invoked if you have any windows events configured with evt_resolve_ad_obj
defined, but even if you don't I think it behaves the same way
Not very efficeint in my eyes and the fill up the sysmon execution log.
The only benefit is the liceence increase for Splunk ;-(
Any ideas on how to disable this?
thx
afx