Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is the Universal forwarder executing regmon, powershells and others with out them being explicitly configured?

afx
Contributor
‎02-20-2020 02:58 AM

Hi,
why is my UF on Windows executing various splunk-* tools without them beeing configured in any input?
Every few minutes I see them in sysmon:
splunk-powershell.exe
splunk-regmon.exe
splunk-powershell.exe
splunk-netmon.exe
splunk-admon.exe
splunk-MonitorNoHandle.exe
splunk-winprintmon.exe

I do not see them in any inputs.conf.

thx
afx

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎02-20-2020 04:08 AM

In defaults/inputs.conf you should have something like this:

[admon]
 interval=60
 baseline=0

 [MonitorNoHandle]
 interval=60

 [WinEventLog]
 interval=60
 evt_resolve_ad_obj = 0
 evt_dc_name=
 evt_dns_name=

 [WinNetMon]
 interval=60

 [WinPrintMon]
 interval=60

 [WinRegMon]
 interval=60
 baseline=0

 [perfmon]
 interval=300

 [powershell]
 interval=60

 [powershell2]
 interval=60

disable them in local/inputs.conf like this:

 [perfmon]
 interval = -1

 [powershell]
 interval = -1

 [powershell2]
 interval = -1

 [admon]
 interval = -1

 [WinRegMon]
 interval = -1

 [WinNetMon]
 interval = -1

 [MonitorNoHandle]
 interval = -1

 [WinPrintMon]
 interval = -1

Just watch your config file precedence if you need to re-enable them later.
You want these defined at a lower level than anything you might need later, so pushing an app called "z_overrides" with them defined in local reduces the likelyhood of problems if you later enable them in another app (assuming you dont name all your apps z_something 🙂

If my comment helps, please give it a thumbs up!

View solution in original post

Reply
Solved! Jump to solution

jhornsby_splunk
Splunk Employee
Splunk Employee
‎02-20-2020 07:48 AM

Hi @afx,

Since version 7.3.0 of Splunk, there's also the new run_introspection configuration value. If you set that to false, and disabled to true for a particular modular input, then that input will never run (the alternative of interval = -1 means that the modular input will run once upon startup).

Cheers,

- Jo.

0 Karma
Reply
Solved! Jump to solution

afx
Contributor
‎02-20-2020 01:47 PM

Still on 7.2.4, but good to know,
thx
afx

0 Karma
Reply
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎02-20-2020 04:08 AM

In defaults/inputs.conf you should have something like this:

[admon]
 interval=60
 baseline=0

 [MonitorNoHandle]
 interval=60

 [WinEventLog]
 interval=60
 evt_resolve_ad_obj = 0
 evt_dc_name=
 evt_dns_name=

 [WinNetMon]
 interval=60

 [WinPrintMon]
 interval=60

 [WinRegMon]
 interval=60
 baseline=0

 [perfmon]
 interval=300

 [powershell]
 interval=60

 [powershell2]
 interval=60

disable them in local/inputs.conf like this:

 [perfmon]
 interval = -1

 [powershell]
 interval = -1

 [powershell2]
 interval = -1

 [admon]
 interval = -1

 [WinRegMon]
 interval = -1

 [WinNetMon]
 interval = -1

 [MonitorNoHandle]
 interval = -1

 [WinPrintMon]
 interval = -1

Just watch your config file precedence if you need to re-enable them later.
You want these defined at a lower level than anything you might need later, so pushing an app called "z_overrides" with them defined in local reduces the likelyhood of problems if you later enable them in another app (assuming you dont name all your apps z_something 🙂

If my comment helps, please give it a thumbs up!
Reply
Solved! Jump to solution

afx
Contributor
‎02-20-2020 04:26 AM

Thanks,
looks like that worked (I also added a disabled=1 as I did not put it into a local file but pushed it via the deployment server).

thx
afx

Reply
Solved! Jump to solution

nickhills
Ultra Champion
‎02-20-2020 04:00 AM

I think they get invoked periodically incase you have any inputs configured.
With no inputs of those typed defined, they execute and then quit.

The admon might also be invoked if you have any windows events configured with evt_resolve_ad_obj defined, but even if you don't I think it behaves the same way

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

afx
Contributor
‎02-20-2020 04:03 AM

Not very efficeint in my eyes and the fill up the sysmon execution log.
The only benefit is the liceence increase for Splunk ;-(

Any ideas on how to disable this?

thx
afx

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...