Running Splunk alongside Windows anti-virus products
Running Splunk alongside Windows anti-virus products
When running Splunk on a Windows computer that has an anti-virus product such as McAfee's VirusScan installed, Splunk strongly recommends that you exclude all Splunk processes (such as splunkd.exe, splunkweb.exe, splunk-wmi.exe and so on), as well as the entire %SPLUNK_HOME% directory from any kind of on-access scanning.
Splunk requires lots of disk I/O bandwidth to perform indexing tasks. In particular, disk write operations are very intensive, and this can clash with any product that installs a driver that intermediates between Splunk and the operating system. This includes anti-virus on-access scanner drivers. Failure to exclude the Splunk processes and installation directory from these scans can lead to poor performance, including but not limited to unresponsive servers.
This documentation applies to the following versions of Splunk: 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 , 5.0 , 5.0.1 , 5.0.2 , 5.0.3 View the Article History for its revisions.
Comments
Does this also include Linux Splunk servers? Also, could specific directories under %SPLUNK_HOME% be identified that cause major problems. IE - incase security procedures require periodic scans of the bin files etc...
Hi Paulahoffman,
We are not aware of any specific problems that occur with Linux Splunk servers and antivirus scanning software. However, we do recommend that, unless absolutely necessary, no scanning of Splunk files takes place, as those scans directly and significantly impact indexing performance.
As Splunk creates and deletes many directories and files - none of which have specific filename extensions - during the process of operation, we can't give specific advice beyond excluding the entirety of %SPLUNK_HOME%.