Getting Data In

Why is the Universal forwarder executing regmon, powershells and others with out them being explicitly configured?

afx
Contributor

Hi,
why is my UF on Windows executing various splunk-* tools without them beeing configured in any input?
Every few minutes I see them in sysmon:
splunk-powershell.exe
splunk-regmon.exe
splunk-powershell.exe
splunk-netmon.exe
splunk-admon.exe
splunk-MonitorNoHandle.exe
splunk-winprintmon.exe

I do not see them in any inputs.conf.

thx
afx

0 Karma
1 Solution

nickhills
Ultra Champion

In defaults/inputs.conf you should have something like this:

[admon]
 interval=60
 baseline=0

 [MonitorNoHandle]
 interval=60

 [WinEventLog]
 interval=60
 evt_resolve_ad_obj = 0
 evt_dc_name=
 evt_dns_name=

 [WinNetMon]
 interval=60

 [WinPrintMon]
 interval=60

 [WinRegMon]
 interval=60
 baseline=0

 [perfmon]
 interval=300

 [powershell]
 interval=60

 [powershell2]
 interval=60

disable them in local/inputs.conf like this:

 [perfmon]
 interval = -1

 [powershell]
 interval = -1

 [powershell2]
 interval = -1

 [admon]
 interval = -1

 [WinRegMon]
 interval = -1

 [WinNetMon]
 interval = -1

 [MonitorNoHandle]
 interval = -1

 [WinPrintMon]
 interval = -1

Just watch your config file precedence if you need to re-enable them later.
You want these defined at a lower level than anything you might need later, so pushing an app called "z_overrides" with them defined in local reduces the likelyhood of problems if you later enable them in another app (assuming you dont name all your apps z_something 🙂

If my comment helps, please give it a thumbs up!

View solution in original post

jhornsby_splunk
Splunk Employee
Splunk Employee

Hi @afx,

Since version 7.3.0 of Splunk, there's also the new run_introspection configuration value. If you set that to false, and disabled to true for a particular modular input, then that input will never run (the alternative of interval = -1 means that the modular input will run once upon startup).

Cheers,

- Jo.

0 Karma

afx
Contributor

Still on 7.2.4, but good to know,
thx
afx

0 Karma

nickhills
Ultra Champion

In defaults/inputs.conf you should have something like this:

[admon]
 interval=60
 baseline=0

 [MonitorNoHandle]
 interval=60

 [WinEventLog]
 interval=60
 evt_resolve_ad_obj = 0
 evt_dc_name=
 evt_dns_name=

 [WinNetMon]
 interval=60

 [WinPrintMon]
 interval=60

 [WinRegMon]
 interval=60
 baseline=0

 [perfmon]
 interval=300

 [powershell]
 interval=60

 [powershell2]
 interval=60

disable them in local/inputs.conf like this:

 [perfmon]
 interval = -1

 [powershell]
 interval = -1

 [powershell2]
 interval = -1

 [admon]
 interval = -1

 [WinRegMon]
 interval = -1

 [WinNetMon]
 interval = -1

 [MonitorNoHandle]
 interval = -1

 [WinPrintMon]
 interval = -1

Just watch your config file precedence if you need to re-enable them later.
You want these defined at a lower level than anything you might need later, so pushing an app called "z_overrides" with them defined in local reduces the likelyhood of problems if you later enable them in another app (assuming you dont name all your apps z_something 🙂

If my comment helps, please give it a thumbs up!

afx
Contributor

Thanks,
looks like that worked (I also added a disabled=1 as I did not put it into a local file but pushed it via the deployment server).

thx
afx

nickhills
Ultra Champion

I think they get invoked periodically incase you have any inputs configured.
With no inputs of those typed defined, they execute and then quit.

The admon might also be invoked if you have any windows events configured with evt_resolve_ad_obj defined, but even if you don't I think it behaves the same way

If my comment helps, please give it a thumbs up!
0 Karma

afx
Contributor

Not very efficeint in my eyes and the fill up the sysmon execution log.
The only benefit is the liceence increase for Splunk ;-(

Any ideas on how to disable this?

thx
afx

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...