Splunk® Enterprise

Release Notes

Download manual as PDF

Download topic as PDF

Workaround for Windows universal forwarder enabling inputs unexpectedly on installation or upgrade

Important:

A new build of the Splunk universal forwarder for Windows which fixes the issue described in this topic is available on Splunk's universal forwarder download page.

The fixed universal forwarder has build number 182611 and was made available on Tuesday, October 8, 2013.

Introduction

This page discusses how to work around an issue where installing or upgrading the Splunk 6.0 universal forwarder on Windows systems enables the Registry monitor and file system change (FSchange) inputs unexpectedly under certain conditions.

Symptoms

When you install or upgrade the Splunk version 6.0 universal forwarder under certain conditions as detailed below, the universal forwarder enables monitoring of the Registry and changes to the file system.

Soon after installing the universal forwarder, you might see license violations on your Splunk indexers due to the significant increase in indexing volume that the enabled inputs generate.

Cause

This problem has multiple causes:

  • The Splunk Technology Add-on for Windows (which is included in the Splunk universal forwarder installation package) has a configuration file, regmon-filters.conf, which enables Registry monitoring by default.
  • The TA also has an inputs.conf which enables the fschange input by default.
  • Migration logic introduced in version 5.0 of Splunk now moves configuration information from files like regmon-filters.conf to inputs.conf. This causes specific problems in this scenario when you upgrade the universal forwarder.

This problem only appears on Windows systems.

Workaround

To work around this issue, follow the instructions in the table below based on the scenario that best applies to your situation:

Scenario Impact Workaround
  • You perform a clean install of the Splunk universal forwarder, but do not enable any of the inputs that the forwarder's installer offers to install.
No impact. No workaround needed.
  • You perform a clean install of the Splunk universal forwarder, AND
  • You enable one or more of the inputs that the installer offers to install.
The forwarder installs the Splunk Technology Add-on for Windows. The TA enables the Registry Monitor and FSchange inputs by default. This results in increased indexing volume and potential license violations. After installing the forwarder, edit regmon-filters.conf and inputs.conf in the %SPLUNK_HOME%\etc\apps\Splunk_TA_windows\local directory to explicitly disable the inputs. Then, restart the universal forwarder to ensure the changes take effect. Confirm that the forwarder is no longer collecting Registry monitoring and FSchange data.
  • You perform a clean install of the Splunk universal forwarder, but do not enable any of the inputs that the forwarder's installer offers to install, AND
  • You subsequently install the Splunk Technology Add-on for Windows.
The TA enables the Registry Monitor and FSchange inputs by default. This results in increased indexing volume and potential license violations. After installing the Splunk Technology Add-on for Windows, edit regmon-filters.conf and inputs.conf in the %SPLUNK_HOME%\etc\apps\Splunk_TA_windows\local directory to explicitly disable the inputs. Then, restart the universal forwarder to ensure the changes take effect. Confirm that the forwarder is no longer collecting Registry monitoring and FSchange data.
  • You upgrade a universal forwarder from either Versions 4 or 5 to Version 6, AND
  • You have not previously installed the Splunk Technology Add-on for Windows (either manually, or via a deployment server)
If you have not explicitly disabled existing Windows inputs, any inputs that get migrated from their Version 4- or 5-style configuration files will be enabled by default in Version 6 due to how migration to modular inputs works. This leads to collection of unexpected information by the upgraded forwarder. After upgrading the forwarder, review inputs.conf for migrated Windows inputs, and disable inputs which you do not want enabled specifically by adding disabled=1 to each input's stanza.
  • You upgrade a universal forwarder from either Versions 4 or 5 to Version 6, AND
  • You have previously installed the Splunk Technology Add-on for Windows (either manually, or via a deployment server)
If you have not explicitly disabled existing Windows inputs, any inputs that get migrated from their Version 4- or 5-style configuration files will be enabled by default in Version 6 due to how migration to modular inputs works. This leads to collection of unexpected information by the upgraded forwarder. After upgrading the forwarder, review inputs.conf for migrated Windows inputs, and disable inputs which you do not want enabled specifically by adding disabled=1 to each input's stanza.

Important: You must restart Splunk on the computer after performing any changes for those changes to take effect.

PREVIOUS
Workaround for network accessibility issues on Splunk Windows systems under certain conditions
  NEXT
Transparent huge memory pages and Splunk performance

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.6.0, 6.6.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters